Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex help, using ^ character

AttarSingh1
Explorer
‎09-12-2022 12:47 PM

Hey,

 

I was trying to filter some search data in splunk using regex. I was able to figure the regex part. However when I try to input into splunk, i get an error. 
Error in 'SearchParser': Missing a search command before '\'. Error at position '321' of search query 'search index=nessus [ search index=nessus ...{snipped} {errorcontext = <paths>^([\w]+[^\w\r\}'.

 

Splunk command : | rex field=pluginText (?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)

regex link : regex101: build, test, and debug regex

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-12-2022 02:07 PM

Hi @AttarSingh1,

Please try below;

| rex max_match=0 field=pluginText "(?m)(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-12-2022 02:07 PM

Hi @AttarSingh1,

Please try below;

| rex max_match=0 field=pluginText "(?m)(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

AttarSingh1
Explorer
‎09-12-2022 02:56 PM

can you explain what the (?m) does

 

everything works with this. thanks a bunch

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎09-12-2022 08:57 PM

Hi @AttarSingh1,

Nice to hear everything works. 

(?m) is the (?<option_flag>) construct allows you to set various matching properties like case-insensitivity, multiline, greedy,

The "m" flag is for multiline data.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎09-12-2022 12:51 PM

@AttarSingh1,

You should put the regex expression into double quotes like below;

| rex field=pluginText "(?<paths>^([\w]+[^\w\r\n]+){2}[\w]+)"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

AttarSingh1
Explorer
‎09-12-2022 01:01 PM

Thanks that did take care of the error, but my variable isnt storing value.

0 Karma
Reply
Solved! Jump to solution

AttarSingh1
Explorer
‎09-12-2022 01:04 PM

Do you have any ideas on how to set regex flags /gm, in splunk. Unsure if you need to. but thats what regex101 made me do. so maybe thats the missing piece

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...