Solved: Re: Why is my regex causing Splunk to return the f...

Task1906 · ‎10-31-2018

Rexex101 works GREAT. However, Splunk gives me an error. I keep getting the following error with the regex below:
I am trying to extract everything before \ or \

Error in 'rex' command: Encountered the following error while compiling the regex '(?[^].)': Regex: missing terminating ] for character class*

| rex field=src_user "\\(?<user>[^\\].*)"

Here are the examples of what I'm trying to extract:
DTTSOL-EAST\SQLAdmin
DTTSOL-EAST\SQLAdmin
task@delly\mason
DANNY@rand\D
calicoe\iron

What am I doing wrong and should I use something else besides regxex101?

javiergn · ‎11-01-2018

Assuming the number of backslashes can vary, I would just go for the following:

| rex field=src_user "[\\\]+(?<user>[^\\\]+)$"

Thanks,
J

View solution in original post

javiergn · ‎11-01-2018

Assuming the number of backslashes can vary, I would just go for the following:

| rex field=src_user "[\\\]+(?<user>[^\\\]+)$"

Thanks,
J

Task1906 · ‎11-01-2018

thank you!!! It works like a charm.

kamlesh_vaghela · ‎10-31-2018

@Task1906

Can you please try this?

Your_search  | rex field=src_user "\\\\(?<user>[^\\\\].*)"

Sample Search:

| makeresults | eval src_user="DTTSOL-EAST\\SQLAdmin"  | rex field=src_user "\\\\(?<user>[^\\\\].*)"

Thanks

Why is my regex causing Splunk to return the following error?: "Regex: missing terminating ] for character class"

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation