Splunk Search

Splunk regex error: Missing terminating ] for character class

spluzer
Communicator

Hey Splunkers,

Noob. Trying to only retrieve the log names (ex. utility.log) after the last slash

blah\blah\blah\logs\error.log
blah\blah\blah\logs\audit.log
blah\blah\blah\logs\utility.log
blah\blah\blah\logs\service.log
blah\blah\blah\logs\servlet.log

Does anyone have any ideas as to why my regex returns the error below? Thanks all!

| rex field=source "\\\([^\\\]+)$"

Error in 'rex' command: Encountered the following error while compiling the regex '([^]+)$': Regex: missing terminating ] for character class.

P.S. The regex I am using above worked on regex 101

Tags (3)
0 Karma
1 Solution

gcusello
Legend

Hi spluzer,
try this

\\(?<log_name>\w+\.\w+)$

that you can test at https://regex101.com/r/kUsfJu/1

Bye.
Giuseppe

View solution in original post

gcusello
Legend

Hi spluzer,
try this

\\(?<log_name>\w+\.\w+)$

that you can test at https://regex101.com/r/kUsfJu/1

Bye.
Giuseppe

spluzer
Communicator

Sorry, I should have been more clear. I need to capture everything after the last slash for all 5 logs.

error.log
audit.log
utility.log
service.log
servlet.log

Moreover, I couldn't get what you sent (entering the log name in individually) to work in regex 101 or splunk.

Thanks!

0 Karma

gcusello
Legend

sorry, did you tried with

| rex field=source "\\(?<log_name>\w+\.\w+)$"

?
As you can see in regex101, it extracts all the requested filenames that are after tha last backslash.

Bye.
Giuseppe

0 Karma

spluzer
Communicator

Thanks. it required 3 slashes after the first quote.. and then it worked..thanks again! For some reason the 3rd slash (which I assume you posted) gets cut off when posting to the forum

| rex field=source "\(?\w+.\w+)$"

0 Karma

spluzer
Communicator

lol...it did it again !! THIS IS THE CORRECT ONE:

| rex field=source "\\(?\w+.\w+)$"

0 Karma

spluzer
Communicator

| rex field=source "\\(?\w+.\w+)$"

0 Karma

spluzer
Communicator

| rex field=source "\\(?\w+.\w+)$

0 Karma

spluzer
Communicator

lol...oh well i guess i cant post the correct code. it keeps getting overwritten during posting . anyway thanks Giuseppe. what you have is correct it just requires 3 slashes after the first quote

0 Karma

spluzer
Communicator
CORRECTION

Some text got cut out in posting
MY SPLUNK QUERY/REGEX IS THIS:

| rex field=source "\([^\]+)$"

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...