Splunk Search

Rex not working for special characters

jravida
Communicator

Hi Folks,

I've worked out a regex to pull out group names from audit logs. It works for one field with no special characters, but in another, more elaborated field, my rex becomes confused.
Example

|rex "\w+ added to (?"EXTRACTION SHOULD BE HERE BUT SPLUNK.com FILTERS THE TAGS"\w+) in the \w+"

"Member Bill added to Mail Admin in the Restricted Groups Policy PostOffice"

works fine, but when it becomes more complex I am not sure how to have the rex query ignore all the special characters that may show up

"Member Bill added to Mail Admin in the Restricted Groups Policy (SLASHES)K12\\DC5000Dallas [WEDT] Mail Admin"

This turns up nothing. So basically I want to eliminate the slashes (that don't show up here oddly) and [] that get mixed in, just ignore after the group name extraction. Thanks in advance!

Edit, splunk filters out the tags so the rex looks weird but I'm using the correct named extration

Tags (2)
1 Solution

somesoni2
Revered Legend

Try this

|rex "(\w+\s)+added to (?<myField>.*) in the"

View solution in original post

somesoni2
Revered Legend

Try this

|rex "(\w+\s)+added to (?<myField>.*) in the"

ppablo
Community Manager
Community Manager

There's a reason @somesoni2 is always the #1 or #2 ranked user on Answers 😜

0 Karma

sk314
Builder

that was fast! didn't see it before I posted a somewhat similar regex!!

0 Karma

jravida
Communicator

Thanks for the fast response! I was a bit more off than I though!

0 Karma

jravida
Communicator

I just want to pull out "Mail Admin" and discard the rest

0 Karma

sk314
Builder

could you specify what would be the correct extraction in the last example (the one with [WEDT])?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>