- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk regex error: Missing terminating ] for ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Splunkers,
Noob. Trying to only retrieve the log names (ex. utility.log) after the last slash
blah\blah\blah\logs\error.log
blah\blah\blah\logs\audit.log
blah\blah\blah\logs\utility.log
blah\blah\blah\logs\service.log
blah\blah\blah\logs\servlet.log
Does anyone have any ideas as to why my regex returns the error below? Thanks all!
| rex field=source "\\\([^\\\]+)$"
Error in 'rex' command: Encountered the following error while compiling the regex '([^]+)$': Regex: missing terminating ] for character class.
P.S. The regex I am using above worked on regex 101
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi spluzer,
try this
\\(?<log_name>\w+\.\w+)$
that you can test at https://regex101.com/r/kUsfJu/1
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi spluzer,
try this
\\(?<log_name>\w+\.\w+)$
that you can test at https://regex101.com/r/kUsfJu/1
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I should have been more clear. I need to capture everything after the last slash for all 5 logs.
error.log
audit.log
utility.log
service.log
servlet.log
Moreover, I couldn't get what you sent (entering the log name in individually) to work in regex 101 or splunk.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, did you tried with
| rex field=source "\\(?<log_name>\w+\.\w+)$"
?
As you can see in regex101, it extracts all the requested filenames that are after tha last backslash.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. it required 3 slashes after the first quote.. and then it worked..thanks again! For some reason the 3rd slash (which I assume you posted) gets cut off when posting to the forum
| rex field=source "\(?\w+.\w+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lol...it did it again !! THIS IS THE CORRECT ONE:
| rex field=source "\\(?\w+.\w+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex field=source "\\(?\w+.\w+)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex field=source "\\(?\w+.\w+)$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lol...oh well i guess i cant post the correct code. it keeps getting overwritten during posting . anyway thanks Giuseppe. what you have is correct it just requires 3 slashes after the first quote
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CORRECTION
Some text got cut out in posting
MY SPLUNK QUERY/REGEX IS THIS:
| rex field=source "\([^\]+)$"
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
