Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex works on regex101 but not splunk

syk19567
Explorer
‎02-09-2024 08:39 AM

Hi community,

I'm using rex to get some strings.

The log is like

\"submission_id\":337901

The regex I'm using is:

\"submission_id\\\":(?<subID>\d+)

It works well on regex101:
https://regex101.com/r/Usr7Ki/1

However, in Splunk, it doesn't find anything.
The command is (just added double quotes to wrap the regex)

rex "\"submission_id\\\":(?<subID>\d+)"

 Any ideas and suggestions are appreciated!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-09-2024 08:53 AM

Hi @syk19567,

it's a bug that I requested to solve for one of our biggest customers:

if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash.

If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash).

so the regex to use in a search is:

| rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)"

instead the regex to use in the extract field (and regex101) is

\\\"submission_id\\\":(?P<submission_id>\d+)

In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX.

As I said, I asked to solve this bug but they didn't give me a date.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 09:31 AM

Thank you Giuseppe, this is very informative!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 08:53 AM

This blows my mind and I'm kinda lost. But this really works!! Thank you!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-09-2024 08:55 AM
Rule of thumb in splunk with rex. Add \-characters until it works 😉
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
Top