Splunk Search

Rex Error help: How to extract a certain part of a string?

Explorer

Hi,

I want to extract a certain part of a string, for instance:

Input

\\domain.org\teams\team1\bla\bla\bla
\\domain.org\teams\team2\bla\bla
\\domain.org\teams\team3\bla
\\domain.org\teams\team4

I want the following output:

team1
team2
team3
team4

I'm using the below Regex which works in Regex101 but not on Splunk.

The regex I'm using is:

(^\\\\domain\.org\\teams\\)(?P<Team>[^\\]+)

and has this error in Splunk:

Error in 'rex' command: Encountered the following error while compiling the regex '(^\\domain\.org\\teams\)(?P<Team>[^\]+)': Regex: missing terminating ] for character class

0 Karma
1 Solution

Influencer

You're right, check the correct one

| rex field=_raw "\\\domain\.org\\\teams\\\(?<Team>[^\\\]*)"

View solution in original post

Influencer

You're right, check the correct one

| rex field=_raw "\\\domain\.org\\\teams\\\(?<Team>[^\\\]*)"

View solution in original post

Explorer

Amazing, thank you.

0 Karma

Influencer

Please try this one

(^\\\\domain\.org\\teams\\)(?<Team>[^\\]+)
0 Karma

Explorer

Hi,

Thanks - it still throws the same error though
Regex: missing terminating ] for character class

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!