Hello Splunk community,
When trying to splice multiple events so that it can generate a specific output from a Splunk index, I’ve been running into the “Regex: syntax error in subpattern name (missing terminator)” error often.
=========================================================================
For example, there are events that are being shown in a Splunk index: (each line is a different Splunk event)
“This is one way to do everything” “Regular Expressions in Splunk” “test:
123fourfive” “and escape characters” “test:
!A-Z” “are an interesting exercise in” “test:
~Lettersand Numbers” “finding out how Regex works” “test:
What is the? AndWhen to use it!” “in Splunk.” “test:
This is the Splunk query :
*randomsplunkindex*|rex field=_raw “(?<OUTPUT>(?<=” “).*(?=” “test:))”
I’m trying to get the output between two the quotes.
So that the output would be:
Regular Expressions in Splunk
and escape characters
are an interesting exercise in
finding out how Regex works
in splunk.
However I’ve run into this error “Regex: syntax error in subpattern name (missing terminator)”
I’ve tried these combinations of exit characters so that I won’t get the “Regex: syntax error in subpattern name (missing terminator)” error:
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=\" \").*(?=\" \"test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=\" ").*(?=" \"test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=\" \").*(?=" "test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=" ").*(?=\" \"test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>\(?<=" ").*(?=" "test:)\)"
Is there any way to use regular expressions so that if there are characters like “or ‘ in said event so that you’re trying to extract the output using rex?
The error is caused by this group construct:
(?<=)
The engine expects a group name following the left angle bracket. If you intended to use a coditional lookbehind, it would be written like this:
(?(?<=pattern1)pattern2)|pattern3)
However, you can simplify your expression like this:
.*"(?<OUTPUT>.*)"\s"test:
| rex ".*\"(?<OUTPUT>.*)\"\\s\"test:"
OUTPUT | _raw |
Regular Expressions in Splunk | "This is one way to do everything" "Regular Expressions in Splunk" "test: |
and escape characters | 123fourfive" "and escape characters" "test: |
are an interesting exercise in | !A-Z" "are an interesting exercise in" "test: |
finding out how Regex works | ~Lettersand Numbers" "finding out how Regex works" "test: |
in Splunk. | What is the? AndWhen to use it!" "in Splunk." "test: |
The error is caused by this group construct:
(?<=)
The engine expects a group name following the left angle bracket. If you intended to use a coditional lookbehind, it would be written like this:
(?(?<=pattern1)pattern2)|pattern3)
However, you can simplify your expression like this:
.*"(?<OUTPUT>.*)"\s"test:
| rex ".*\"(?<OUTPUT>.*)\"\\s\"test:"
OUTPUT | _raw |
Regular Expressions in Splunk | "This is one way to do everything" "Regular Expressions in Splunk" "test: |
and escape characters | 123fourfive" "and escape characters" "test: |
are an interesting exercise in | !A-Z" "are an interesting exercise in" "test: |
finding out how Regex works | ~Lettersand Numbers" "finding out how Regex works" "test: |
in Splunk. | What is the? AndWhen to use it!" "in Splunk." "test: |
@tscroggins Interesting, didn't realize that
(?<=)
Would have an impact on the engine. Yes I did intend to use a conditional lookbehind , I just didn't know that it had to be written like :
(?(?<=pattern1)pattern2)|pattern3)
I'll keep this in mind when creating more SPL rex queries in the future for this. Thanks for pointing this out.