Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex works on regex101 but not splunk

syk19567
Explorer
‎02-09-2024 08:39 AM

Hi community,

I'm using rex to get some strings.

The log is like

\"submission_id\":337901

The regex I'm using is:

\"submission_id\\\":(?<subID>\d+)

It works well on regex101:
https://regex101.com/r/Usr7Ki/1

However, in Splunk, it doesn't find anything.
The command is (just added double quotes to wrap the regex)

rex "\"submission_id\\\":(?<subID>\d+)"

 Any ideas and suggestions are appreciated!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-09-2024 08:53 AM

Hi @syk19567,

it's a bug that I requested to solve for one of our biggest customers:

if you tested a regex containing a backslas in regex101 and it runs, to use this regex in a search you have to add other two backslashes to each backslash.

If instead you want to use this regex in a field extraction, you have to use the regex from regex1010 (the one with one backslash).

so the regex to use in a search is:

| rex "\\\\\"submission_id\\\\\":(?<submission_id>\d+)"

instead the regex to use in the extract field (and regex101) is

\\\"submission_id\\\":(?P<submission_id>\d+)

In addition, if you try to use the IFX on the same sourcetype, you have an error and you cannot use IFX.

As I said, I asked to solve this bug but they didn't give me a date.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 09:31 AM

Thank you Giuseppe, this is very informative!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2024 08:46 AM

You need to double up on some of your backslashes

| rex "\\\"submission_id\\\\\":(?<subID>\d+)"

Essentially, the rex command goes through a extra step of string parsing so backslashes have to be escaped an extra time

Reply
Solved! Jump to solution

syk19567
Explorer
‎02-09-2024 08:53 AM

This blows my mind and I'm kinda lost. But this really works!! Thank you!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-09-2024 08:55 AM
Rule of thumb in splunk with rex. Add \-characters until it works 😉
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...