Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Rex Error help: How to extract a certain part ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bomran
Explorer
03-12-2018
08:31 AM
Hi,
I want to extract a certain part of a string, for instance:
Input
\\domain.org\teams\team1\bla\bla\bla
\\domain.org\teams\team2\bla\bla
\\domain.org\teams\team3\bla
\\domain.org\teams\team4
I want the following output:
team1
team2
team3
team4
I'm using the below Regex which works in Regex101 but not on Splunk.
The regex I'm using is:
(^\\\\domain\.org\\teams\\)(?P<Team>[^\\]+)
and has this error in Splunk:
Error in 'rex' command: Encountered the following error while compiling the regex '(^\\domain\.org\\teams\)(?P<Team>[^\]+)': Regex: missing terminating ] for character class
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-12-2018
09:20 AM
You're right, check the correct one
| rex field=_raw "\\\domain\.org\\\teams\\\(?<Team>[^\\\]*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-12-2018
09:20 AM
You're right, check the correct one
| rex field=_raw "\\\domain\.org\\\teams\\\(?<Team>[^\\\]*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bomran
Explorer
03-12-2018
09:21 AM
Amazing, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tiagofbmm
Influencer
03-12-2018
08:53 AM
Please try this one
(^\\\\domain\.org\\teams\\)(?<Team>[^\\]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bomran
Explorer
03-12-2018
09:11 AM
Hi,
Thanks - it still throws the same error though
Regex: missing terminating ] for character class
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
