Solved: Re: Why is my regex causing Splunk to return the f...

Task1906 · ‎10-31-2018

Rexex101 works GREAT. However, Splunk gives me an error. I keep getting the following error with the regex below:
I am trying to extract everything before \ or \

Error in 'rex' command: Encountered the following error while compiling the regex '(?[^].)': Regex: missing terminating ] for character class*

| rex field=src_user "\\(?<user>[^\\].*)"

Here are the examples of what I'm trying to extract:
DTTSOL-EAST\SQLAdmin
DTTSOL-EAST\SQLAdmin
task@delly\mason
DANNY@rand\D
calicoe\iron

What am I doing wrong and should I use something else besides regxex101?

javiergn · ‎11-01-2018

Assuming the number of backslashes can vary, I would just go for the following:

| rex field=src_user "[\\\]+(?<user>[^\\\]+)$"

Thanks,
J

View solution in original post

javiergn · ‎11-01-2018

Assuming the number of backslashes can vary, I would just go for the following:

| rex field=src_user "[\\\]+(?<user>[^\\\]+)$"

Thanks,
J

Task1906 · ‎11-01-2018

thank you!!! It works like a charm.

kamlesh_vaghela · ‎10-31-2018

@Task1906

Can you please try this?

Your_search  | rex field=src_user "\\\\(?<user>[^\\\\].*)"

Sample Search:

| makeresults | eval src_user="DTTSOL-EAST\\SQLAdmin"  | rex field=src_user "\\\\(?<user>[^\\\\].*)"

Thanks

Why is my regex causing Splunk to return the following error?: "Regex: missing terminating ] for character class"

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?