- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rexex101 works GREAT. However, Splunk gives me an error. I keep getting the following error with the regex below:
I am trying to extract everything before \ or \
Error in 'rex' command: Encountered the following error while compiling the regex '(?[^].)': Regex: missing terminating ] for character class*
| rex field=src_user "\\(?<user>[^\\].*)"
Here are the examples of what I'm trying to extract:
DTTSOL-EAST\SQLAdmin
DTTSOL-EAST\SQLAdmin
task@delly\mason
DANNY@rand\D
calicoe\iron
What am I doing wrong and should I use something else besides regxex101?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the number of backslashes can vary, I would just go for the following:
| rex field=src_user "[\\\]+(?<user>[^\\\]+)$"
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the number of backslashes can vary, I would just go for the following:
| rex field=src_user "[\\\]+(?<user>[^\\\]+)$"
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you!!! It works like a charm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Task1906
Can you please try this?
Your_search | rex field=src_user "\\\\(?<user>[^\\\\].*)"
Sample Search:
| makeresults | eval src_user="DTTSOL-EAST\\SQLAdmin" | rex field=src_user "\\\\(?<user>[^\\\\].*)"
Thanks
