Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex works on regex101 but not splunk

syk19567
Explorer
‎02-09-2024 08:39 AM

Hi community,

I'm using rex to get some strings.

The log is like

\"submission_id\":337901

The regex I'm using is:

\"submission_id\\\":(?<subID>\d+)

It works well on regex101:
https://regex101.com/r/Usr7Ki/1

However, in Splunk, it doesn't find anything.
The command is (just added double quotes to wrap the regex)

rex "\"submission_id\\\":(?<subID>\d+)"

 Any ideas and suggestions are appreciated!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-09-2024 08:53 AM

Hi @syk19567,

it's a bug that I requested to solve for one of our biggest customers:

if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash.

If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash).

so the regex to use in a search is:

| rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)"

instead the regex to use in the extract field (and regex101) is

\\\"submission_id\\\":(?P<submission_id>\d+)

In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX.

As I said, I asked to solve this bug but they didn't give me a date.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 09:31 AM

Thank you Giuseppe, this is very informative!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 08:53 AM

This blows my mind and I'm kinda lost. But this really works!! Thank you!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-09-2024 08:55 AM
Rule of thumb in splunk with rex. Add \-characters until it works 😉
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top