Solved: Re: Why am I getting regex error "unrecognized cha...

cesar_tomas · ‎03-02-2016

Hello Everyone,

I have a problem with Splunk 6.3 when I am trying to run the rex statement:

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1

The next message is shown:

Error in 'rex' command: Encountered the following error while compiling the regex 'WTIDCCN[-_]\d\d\d\d":"(?P<conname>([A-Z0-9#$$%.]{0,42}))"': Regex: unrecognized character after (?P

What is wrong with my regex?

Any posible solutions?

REgards

cesar_tomas · ‎03-03-2016

Thanks everybody for your participation, i was able to solve mi problem.

I was using in the search app

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1

Here is the solution:

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P([A-Z0-9#$$%.]{0,42}))\"" max_match=1

View solution in original post

cesar_tomas · ‎03-03-2016

Thanks everybody for your participation, i was able to solve mi problem.

I was using in the search app

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1

Here is the solution:

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P([A-Z0-9#$$%.]{0,42}))\"" max_match=1

alemarzu · ‎03-03-2016

Can you share a data sample of the event ?

lguinn2 · ‎03-02-2016

You have quotation marks within quotation marks. You escaped them but I wonder what would happen if you used the hex code for the internal quotation marks instead: \x22

Why am I getting regex error "unrecognized character" with my current rex syntax?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases