- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Should I be escaping each backslash with a sec...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should I be escaping each backslash with a second backslash in my regex?
I'm troubleshooting a regex to match against the following data (names and IP addresses are fictional):
Aug 26 10:55:50 10.11.12.13 PRIMUS NT: <Security;F529;NT AUTHORITY\SYSTEM> Logon Failure: Reason:Unknown user name or bad password User Name:bob Domain:10.11.12.13 Logon Type:3 Logon Process:NtLmSsp Authentication Package:NTLM Workstation Name:FAUX Caller User Name:- Caller Domain:- Caller Logon ID:- Caller Process ID:- Transited Services:- Source Network Address:10.11.12.14 Source Port:0
I believe the regex below is a valid PCRE, but Splunk's search complains with the message:
Error in 'SearchOperator:regex': The regex '<Security;[A-Z]\d+;[^\]+' is invalid. missing terminating ] for character class
| regex _raw="<Security;[A-Z]\d+;[^\\]+"
When I create a regex for a Splunk search, am I supposed to escape each backslash with an additional backslash? The following search appears to work...
| regex _raw="<Security;[A-Z]\\d+;[^\\\\]+"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All you need to do is to replace [^\] with [^\x5C] in your rex or regex and that will not(match) on backslash.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the search line, each backslash must be escaped. In the Field Extraction regex, only the literal backslash (matching the "\") needs to be escaped.
Search line:
| rex field=UserName "(?<field1>[^\\\\]+)\\\\+(?<field2>[^\\\\\\",]+)$"
Field Extraction:
(?<field1>[^\\]+)\\+(?<field2>[^\\\",]+)$
Additionally, at the search line, double quotes must be escaped. In many cases like the double quote, the search line does not require every backslash to be escaped. The following example takes the previous case and allows for double quotes to be found around the field values without matching them.
Search line:
| rex field=_raw "UserName=\"?(?<field1>[^\\\\]+)\\\\+(?<field2>[^\\\\\",]+)\"?$"
OR
| rex field=_raw "UserName=\\"?(?<field1>[^\\\\]+)\\\\+(?<field2>[^\\\\\",]+)\\"?$"
Field Extraction:
\"?(?<field1>[^\\]+)\\+(?<field2>[^\\\",]+)\"?$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, backslash is a meta-character everywhere, even within a character class, and therefore you will need to escape it.
<Security;[A-Z]\d+;[^\\]+
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problem...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That didn't quite answer my question... please closely look at the difference between my search and Splunk's error message. If I copy and paste the regex you provided, Splunk responds with an error.
Error in 'SearchOperator:regex': The regex '<Security;[A-Z]\d+;[^\]+' is invalid. missing terminating ] for character class
It's behaving as though the double-backslash is first unescaped, then applied to the "]" character as a literal. Note how in the error message, it only shows one backslash, but the character class in my query had two.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
