Splunk Search

Why is rex failing to extract a field and getting error "Regex: unmatched parentheses"?

Path Finder

Hello,

I would like to know if there is any restriction in the rex command because for all the rex field-extractions I've used, they worked fine except for this.

The raw data is something like

Jan 6 99:99:99 255.255.255.255 Authentication failed from 10.0.0.0: user 'BLAH-BLAH\userid' (blah blah)

I've tried couple ways to extract the userid from above such as:

"Authentication failed"|rex "(?i)^[^\\]*\\(?P<userid>[^']+)"    
"Authentication failed"|rex "user\s'\S+\\(?<userid>\w*)'"

but both of them give "Regex: unmatched parentheses" message.

What am I doing wrong? Does Splunk fail to extract a field if too many resources are consumed?

0 Karma
1 Solution

Path Finder

Ok I found the issue. Both queries I have provided above have backslash backslash (?.... and Splunk takes it as backslash(? ...." which is the reason why it kept saying unmatched parentheses.

View solution in original post

Motivator
|gentimes start=-1 |eval Raw = "'BLAH-BLAH\Raghav'"|rex field=Raw "\\\(?<UserID>\w+)"

gives me the output Raghav

Path Finder

yeap that works as well! thanks!

0 Karma

Path Finder

Ok I found the issue. Both queries I have provided above have backslash backslash (?.... and Splunk takes it as backslash(? ...." which is the reason why it kept saying unmatched parentheses.

View solution in original post

Path Finder

|rex "user\s'\w+-?\w+.(?\w+)" works where backslash is replaced by . token

0 Karma

Builder

use backslash before '

Path Finder

I don't think ' is escaped character but I tried anyways and it is still not working. Any other idea?

0 Karma