Splunk Search

Regular expressions that use “or ‘ and exit characters.

learningsplunk
Path Finder

Hello Splunk community,

When trying to splice multiple events so that it can generate a specific output from a Splunk index, I’ve been running into the “Regex: syntax error in subpattern name (missing terminator)” error often.

=========================================================================

For example, there are events that are being shown in a Splunk index: (each line is a different Splunk event)

 

“This is one way to do everything” “Regular Expressions in Splunk” “test:

123fourfive” “and escape characters” “test:

!A-Z” “are an interesting exercise in” “test:

~Lettersand Numbers” “finding out how Regex works” “test:

What is the? AndWhen to use it!” “in Splunk.” “test:

 

This is the Splunk query :

 

*randomsplunkindex*|rex field=_raw “(?<OUTPUT>(?<=” “).*(?=” “test:))”

 

I’m trying to get the output between two the quotes.

So that the output would be:

 

Regular Expressions in Splunk

and escape characters

are an interesting exercise in

finding out how Regex works

in splunk.

 

However I’ve run into this error “Regex: syntax error in subpattern name (missing terminator)”

I’ve tried these combinations of exit characters so that I won’t get the “Regex: syntax error in subpattern name (missing terminator)” error:

 

*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=\" \").*(?=\" \"test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=\" ").*(?=" \"test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=\" \").*(?=" "test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>(?<=" ").*(?=\" \"test:))"
*randomsplunkindex*|rex field=_raw "(?<OUTPUT>\(?<=" ").*(?=" "test:)\)"

 

Is there any way to use regular expressions so that if there are characters like “or ‘ in said event so that you’re trying to extract the output using rex?

Labels (2)
0 Karma
1 Solution

tscroggins
Influencer

@learningsplunk 

The error is caused by this group construct:

 

(?<=)

 

The engine expects a group name following the left angle bracket. If you intended to use a coditional lookbehind, it would be written like this:

 

(?(?<=pattern1)pattern2)|pattern3)

 

However, you can simplify your expression like this:

 

.*"(?<OUTPUT>.*)"\s"test:
| rex ".*\"(?<OUTPUT>.*)\"\\s\"test:"

 

OUTPUT_raw
Regular Expressions in Splunk"This is one way to do everything" "Regular Expressions in Splunk" "test:
and escape characters123fourfive" "and escape characters" "test:
are an interesting exercise in!A-Z" "are an interesting exercise in" "test:
finding out how Regex works~Lettersand Numbers" "finding out how Regex works" "test:
in Splunk.What is the? AndWhen to use it!" "in Splunk." "test:

View solution in original post

tscroggins
Influencer

@learningsplunk 

The error is caused by this group construct:

 

(?<=)

 

The engine expects a group name following the left angle bracket. If you intended to use a coditional lookbehind, it would be written like this:

 

(?(?<=pattern1)pattern2)|pattern3)

 

However, you can simplify your expression like this:

 

.*"(?<OUTPUT>.*)"\s"test:
| rex ".*\"(?<OUTPUT>.*)\"\\s\"test:"

 

OUTPUT_raw
Regular Expressions in Splunk"This is one way to do everything" "Regular Expressions in Splunk" "test:
and escape characters123fourfive" "and escape characters" "test:
are an interesting exercise in!A-Z" "are an interesting exercise in" "test:
finding out how Regex works~Lettersand Numbers" "finding out how Regex works" "test:
in Splunk.What is the? AndWhen to use it!" "in Splunk." "test:

learningsplunk
Path Finder

@tscroggins    Interesting, didn't realize that   

(?<=)

Would have an impact on the engine.  Yes I did intend to use a conditional lookbehind , I just didn't know that it had to be written like : 

(?(?<=pattern1)pattern2)|pattern3)


I'll keep this in mind when creating more SPL rex queries in the future for this. Thanks for pointing this out. 

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...