Splunk Search

Should I be escaping each backslash with a second backslash in my regex?

phatfingers
Explorer

I'm troubleshooting a regex to match against the following data (names and IP addresses are fictional):

Aug 26 10:55:50 10.11.12.13 PRIMUS NT: <Security;F529;NT AUTHORITY\SYSTEM> Logon Failure:  Reason:Unknown user name or bad password User Name:bob  Domain:10.11.12.13  Logon Type:3  Logon Process:NtLmSsp   Authentication Package:NTLM  Workstation Name:FAUX  Caller User Name:-  Caller Domain:-  Caller Logon ID:-  Caller Process ID:-  Transited Services:-  Source Network Address:10.11.12.14  Source Port:0

I believe the regex below is a valid PCRE, but Splunk's search complains with the message:

Error in 'SearchOperator:regex': The regex '<Security;[A-Z]\d+;[^\]+' is invalid. missing terminating ] for character class

| regex _raw="<Security;[A-Z]\d+;[^\\]+"

When I create a regex for a Splunk search, am I supposed to escape each backslash with an additional backslash? The following search appears to work...

| regex _raw="<Security;[A-Z]\\d+;[^\\\\]+"
Tags (3)
0 Karma

wrangler2x
Motivator

All you need to do is to replace [^\] with [^\x5C] in your rex or regex and that will not(match) on backslash.

landen99
Motivator

At the search line, each backslash must be escaped. In the Field Extraction regex, only the literal backslash (matching the "\") needs to be escaped.
Search line:

| rex field=UserName "(?<field1>[^\\\\]+)\\\\+(?<field2>[^\\\\\\",]+)$"

Field Extraction:

(?<field1>[^\\]+)\\+(?<field2>[^\\\",]+)$

Additionally, at the search line, double quotes must be escaped. In many cases like the double quote, the search line does not require every backslash to be escaped. The following example takes the previous case and allows for double quotes to be found around the field values without matching them.

Search line:

| rex field=_raw "UserName=\"?(?<field1>[^\\\\]+)\\\\+(?<field2>[^\\\\\",]+)\"?$"

OR

| rex field=_raw "UserName=\\"?(?<field1>[^\\\\]+)\\\\+(?<field2>[^\\\\\",]+)\\"?$"

Field Extraction:

\"?(?<field1>[^\\]+)\\+(?<field2>[^\\\",]+)\"?$
0 Karma

cnk
Path Finder

Yes, backslash is a meta-character everywhere, even within a character class, and therefore you will need to escape it.

<Security;[A-Z]\d+;[^\\]+
0 Karma

sbsbb
Builder

Same problem...

0 Karma

phatfingers
Explorer

That didn't quite answer my question... please closely look at the difference between my search and Splunk's error message. If I copy and paste the regex you provided, Splunk responds with an error.

Error in 'SearchOperator:regex': The regex '<Security;[A-Z]\d+;[^\]+' is invalid. missing terminating ] for character class

It's behaving as though the double-backslash is first unescaped, then applied to the "]" character as a literal. Note how in the error message, it only shows one backslash, but the character class in my query had two.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!