Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Unable to rex string containing "&"

kknopp
Path Finder
‎01-29-2015 08:06 AM

I am trying to rex a URL string. Here is an example: 

ManageAccount.do?ACTION=VIEW&id=27271905&acctViewType=transactions

My SPL is

\w+\.\w+\?ACTION=VIEW\&id=\d+\&acctViewType=\w+

which is about as specific as one can get. Thing is, this doesn't return results. I tried the following:

\w+\.\w+\?ACTION=.*

to try and generalize, but my result was "ManageAccount.do?ACTION=VIEW"

Has anyone heard of issues with & in a regex, and issues with it in Splunk?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kknopp
Path Finder
‎01-29-2015 01:13 PM

Thank you for all the assistance. The issue was actually the transforms file. When I gave the "URL" string, that was actually me looking at the _raw output and seeing it. When I did | table URL, what I actually saw was ManageAccount.do?ACTION=VIEW. We (read an admin from a long time ago) handrolled one of our sourcetypes, and the parsing is jacked on it.

My solution?

rex field=_raw "URL=(?[^;]*)"

Then real_uri is equivalent to what I thought URL was. sigh Well, there's a day of work wasted. Thanks again everyone!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kknopp
Path Finder
‎01-29-2015 01:13 PM

Thank you for all the assistance. The issue was actually the transforms file. When I gave the "URL" string, that was actually me looking at the _raw output and seeing it. When I did | table URL, what I actually saw was ManageAccount.do?ACTION=VIEW. We (read an admin from a long time ago) handrolled one of our sourcetypes, and the parsing is jacked on it.

My solution?

rex field=_raw "URL=(?[^;]*)"

Then real_uri is equivalent to what I thought URL was. sigh Well, there's a day of work wasted. Thanks again everyone!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎01-29-2015 12:32 PM

Hi kknopp,

I don't see any problem, maybe you need do use some capturing group in your regex like this:

sourcetype=syslog | head 1 | eval foo="ManageAccount.do?ACTION=VIEW&id=27271905&acctViewType=transactions" | rex field=foo "\w+\.\w+\?\w+=(?<ACTION>\w+)&id=(?<id>\d+)&acctViewType=(?<ViewType>\w+)" | table ACTION, id, ViewType

I used this on splunkstorm and it works perfectly - producing a result like this:

alt text
The sourcetype=syslog | head 1 | eval foo="ManageAccount.do?ACTION=VIEW&id=27271905&acctViewType=transactions" part is only to generate your event data, so you will not need to do it....simply do something like this:

your base search here | rex "\w+\.\w+\?\w+=(?<ACTION>\w+)&id=(?<id>\d+)&acctViewType=(?<ViewType>\w+)" | table ACTION, id, ViewType

cheers, MuS

Preview file
55 KB
Reply
Solved! Jump to solution

sk314
Builder
‎01-29-2015 12:32 PM

Try double escaping like so: "\\w+\\.\\w+\\?ACTION=.*"

0 Karma
Reply
Solved! Jump to solution

kknopp
Path Finder
‎01-29-2015 12:19 PM

I've also tried adding N{U+0026} to see if I could escape the Unicode character, but I got the error: "Regex: PCRE does not support L, l, N{name}, U, or u "

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎01-29-2015 09:24 AM

I had no problem using & in a rex. Here is a test I tried and it returned a list of the strings after 'command=':

| rex "&docId=\d+&command=(?<command>[^ ]+)" | stats count by command

I'm on Splunk 6.1.5

0 Karma
Reply
Solved! Jump to solution

kknopp
Path Finder
‎01-29-2015 09:34 AM

We're on Splunk 6.1.1. I'll look at release notes, and see if maybe there was an issue in the earlier versions...

0 Karma
Reply
Solved! Jump to solution

kknopp
Path Finder
‎01-29-2015 09:39 AM

I don't see anything that would've caused this. I'm wondering if we have something crappy hidden in our transforms.conf file?

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎01-29-2015 12:14 PM

Are you using this regex in a transform or are you using it in a rex in search? There may be a difference in how the regex is handled between the two, though I think it unlikely. But if you are using it in a transform, try it first using rex in a search and work on getting it working there first, then put it in the transform. If you are not extracting fields then in the search use regex rather than rex. And if it turns out that the & is causing problems you could try using

\x26

(26 is hex for &) in place of it in the regular expression. I've only tried this in SED-CMD but I'd guess if it works there it would work in a regex or rex. I discovered that trying to replace a backslash was very buggy, and using this method of expressing a character in hex worked around the bug.

0 Karma
Reply
Solved! Jump to solution

kknopp
Path Finder
‎01-29-2015 12:18 PM

I've just tried that as well, to no avail. tried variations of x26, x0026, x{26}. None worked.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...