Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex works on regex101 but not splunk

syk19567
Explorer
‎02-09-2024 08:39 AM

Hi community,

I'm using rex to get some strings.

The log is like

\"submission_id\":337901

The regex I'm using is:

\"submission_id\\\":(?<subID>\d+)

It works well on regex101:
https://regex101.com/r/Usr7Ki/1

However, in Splunk, it doesn't find anything.
The command is (just added double quotes to wrap the regex)

rex "\"submission_id\\\":(?<subID>\d+)"

 Any ideas and suggestions are appreciated!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-09-2024 08:53 AM

Hi @syk19567,

it's a bug that I requested to solve for one of our biggest customers:

if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash.

If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash).

so the regex to use in a search is:

| rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)"

instead the regex to use in the extract field (and regex101) is

\\\"submission_id\\\":(?P<submission_id>\d+)

In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX.

As I said, I asked to solve this bug but they didn't give me a date.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 09:31 AM

Thank you Giuseppe, this is very informative!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 08:53 AM

This blows my mind and I'm kinda lost. But this really works!! Thank you!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-09-2024 08:55 AM
Rule of thumb in splunk with rex. Add \-characters until it works 😉
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top