Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

What is wrong with my regex? "Regex: missing terminating ] for character class"

dbcase
Motivator
‎11-28-2017 11:41 AM

Hi,

I have this data
{"analyticType":"CustomAnalytic","buildTarget":"blah","clientSessionId":"DXFMLAF-CYTQQQK","Properties":{"index":1,"args":["{\"accountId\":\"exr244040\",\"customerId\":\"1001857\"}"],"category":"Event"}}

And this regex (which works in regex101

accountId\\":\\"(?<extref>[^\\]+)

but splunk barfs when I use it in this query

index=wholesale_app CustomAnalytic Properties.index=1|rex "accountId\\":\\"(?<extref>[^\\]+)"|stats count by extref

with this error message

Error in 'rex' command: Encountered the following error while compiling the regex 'accountId\:\(?<extref>[^\]+)': Regex: missing terminating ] for character class

(scratches head).....what am I doing wrong?

Tags (2)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: What is wrong with my regex? "Regex: missing terminating ] for character class"

DalJeanis
SplunkTrust
SplunkTrust
‎11-28-2017 12:34 PM

Because the rex is in quotes, you need to escape the escape character(s) again, and then iterate testing it until it resolves.

Here's run-anywhere code...

| makeresults 
| eval data = "{\"analyticType\":\"CustomAnalytic\",\"buildTarget\":\"blah\",\"clientSessionId\":\"DXFMLAF-CYTQQQK\",\"Properties\":{\"index\":1,\"args\":[\"{\\\"accountId\\\":\\\"exr244040\\\",\\\"customerId\\\":\\\"1001857\\\"}\"],\"category\":\"Event\"}}"
| rename COMMENT as "The above just enters your data as you posted it."

| rex field=data "accountId\\\\\":\\\\\"(?<accountId>[^\\\]+)"

updated from 

| rex field=data "accountId[\\\\][\\\"]:[\\\\][\\\"](?<accountId>[^\\\"\\\\]+)[\\\\][\\\"]"

In this case, I used this construct [\\\\] to represent a single escape character \ , and the construct [\\\"] to represent a single quote ".

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: What is wrong with my regex? "Regex: missing terminating ] for character class"

dbcase
Motivator
‎11-28-2017 12:35 PM

thanks DalJeanis!

I ended up with

rex "accountId.....(?<extref>[^\\\]+)"
Reply
Highlighted
Solved! Jump to solution

Re: What is wrong with my regex? "Regex: missing terminating ] for character class"

DalJeanis
SplunkTrust
SplunkTrust
‎11-28-2017 12:45 PM

Good job. Updated to the simpler version.

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: What is wrong with my regex? "Regex: missing terminating ] for character class"

dbcase
Motivator
‎11-28-2017 12:34 PM

Figured it out, splunk requires more escaping of slash characters

0 Karma
Reply