Hello Everyone,
I have a problem with Splunk 6.3 when I am trying to run the rex statement:
| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1
The next message is shown:
Error in 'rex' command: Encountered the following error while compiling the regex 'WTIDCCN[-_]\d\d\d\d":"(?P<conname>([A-Z0-9#$$%.]{0,42}))"': Regex: unrecognized character after (?P
What is wrong with my regex?
Any posible solutions?
REgards
Thanks everybody for your participation, i was able to solve mi problem.
I was using in the search app
| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1
Here is the solution:
| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P([A-Z0-9#$$%.]{0,42}))\"" max_match=1
Thanks everybody for your participation, i was able to solve mi problem.
I was using in the search app
| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1
Here is the solution:
| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P([A-Z0-9#$$%.]{0,42}))\"" max_match=1
Can you share a data sample of the event ?
You have quotation marks within quotation marks. You escaped them but I wonder what would happen if you used the hex code for the internal quotation marks instead: \x22