Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is wrong with my regex? "Regex: missing termi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have this data
{"analyticType":"CustomAnalytic","buildTarget":"blah","clientSessionId":"DXFMLAF-CYTQQQK","Properties":{"index":1,"args":["{\"accountId\":\"exr244040\",\"customerId\":\"1001857\"}"],"category":"Event"}}
And this regex (which works in regex101
accountId\\":\\"(?<extref>[^\\]+)
but splunk barfs when I use it in this query
index=wholesale_app CustomAnalytic Properties.index=1|rex "accountId\\":\\"(?<extref>[^\\]+)"|stats count by extref
with this error message
Error in 'rex' command: Encountered the following error while compiling the regex 'accountId\:\(?<extref>[^\]+)': Regex: missing terminating ] for character class
(scratches head).....what am I doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because the rex is in quotes, you need to escape the escape character(s) again, and then iterate testing it until it resolves.
Here's run-anywhere code...
| makeresults
| eval data = "{\"analyticType\":\"CustomAnalytic\",\"buildTarget\":\"blah\",\"clientSessionId\":\"DXFMLAF-CYTQQQK\",\"Properties\":{\"index\":1,\"args\":[\"{\\\"accountId\\\":\\\"exr244040\\\",\\\"customerId\\\":\\\"1001857\\\"}\"],\"category\":\"Event\"}}"
| rename COMMENT as "The above just enters your data as you posted it."
| rex field=data "accountId\\\\\":\\\\\"(?<accountId>[^\\\]+)"
updated from
| rex field=data "accountId[\\\\][\\\"]:[\\\\][\\\"](?<accountId>[^\\\"\\\\]+)[\\\\][\\\"]"
In this case, I used this construct [\\\\] to represent a single escape character \ , and the construct [\\\"] to represent a single quote ".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out, splunk requires more escaping of slash characters
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because the rex is in quotes, you need to escape the escape character(s) again, and then iterate testing it until it resolves.
Here's run-anywhere code...
| makeresults
| eval data = "{\"analyticType\":\"CustomAnalytic\",\"buildTarget\":\"blah\",\"clientSessionId\":\"DXFMLAF-CYTQQQK\",\"Properties\":{\"index\":1,\"args\":[\"{\\\"accountId\\\":\\\"exr244040\\\",\\\"customerId\\\":\\\"1001857\\\"}\"],\"category\":\"Event\"}}"
| rename COMMENT as "The above just enters your data as you posted it."
| rex field=data "accountId\\\\\":\\\\\"(?<accountId>[^\\\]+)"
updated from
| rex field=data "accountId[\\\\][\\\"]:[\\\\][\\\"](?<accountId>[^\\\"\\\\]+)[\\\\][\\\"]"
In this case, I used this construct [\\\\] to represent a single escape character \ , and the construct [\\\"] to represent a single quote ".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this worked for me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks DalJeanis!
I ended up with
rex "accountId.....(?<extref>[^\\\]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good job. Updated to the simpler version.
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
