Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting regex error "unrecognized character" with my current rex syntax?

cesar_tomas
Explorer
‎03-02-2016 10:22 AM

Hello Everyone,

I have a problem with Splunk 6.3 when I am trying to run the rex statement:

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1

The next message is shown:

Error in 'rex' command: Encountered the following error while compiling the regex 'WTIDCCN[-_]\d\d\d\d":"(?P<conname>([A-Z0-9#$$%.]{0,42}))"': Regex: unrecognized character after (?P

What is wrong with my regex?

Any posible solutions?

REgards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cesar_tomas
Explorer
‎03-03-2016 07:19 AM

Thanks everybody for your participation, i was able to solve mi problem.

I was using in the search app

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1

Here is the solution:

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P([A-Z0-9#$$%.]{0,42}))\"" max_match=1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cesar_tomas
Explorer
‎03-03-2016 07:19 AM

Thanks everybody for your participation, i was able to solve mi problem.

I was using in the search app

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P<conname>([A-Z0-9#$$%.]{0,42}))\"" max_match=1

Here is the solution:

| rex "WTIDCCN[-_]\d\d\d\d\":\"(?P([A-Z0-9#$$%.]{0,42}))\"" max_match=1
0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎03-03-2016 04:29 AM

Can you share a data sample of the event ?

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎03-02-2016 04:18 PM

You have quotation marks within quotation marks. You escaped them but I wonder what would happen if you used the hex code for the internal quotation marks instead: \x22

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...