I would like to know if there is any restriction in the rex command because for all the rex field-extractions I've used, they worked fine except for this.
The raw data is something like
Jan 6 99:99:99 255.255.255.255 Authentication failed from 10.0.0.0: user 'BLAH-BLAH\userid' (blah blah)
I've tried couple ways to extract the userid from above such as:
"Authentication failed"|rex "(?i)^[^\\]*\\(?P<userid>[^']+)" "Authentication failed"|rex "user\s'\S+\\(?<userid>\w*)'"
but both of them give "Regex: unmatched parentheses" message.
What am I doing wrong? Does Splunk fail to extract a field if too many resources are consumed?
I don't think ' is escaped character but I tried anyways and it is still not working. Any other idea?
Ok I found the issue. Both queries I have provided above have backslash backslash (?.... and Splunk takes it as backslash(? ...." which is the reason why it kept saying unmatched parentheses.
|rex "user\s'\w+-?\w+.(?\w+)" works where backslash is replaced by . token
|gentimes start=-1 |eval Raw = "'BLAH-BLAH\Raghav'"|rex field=Raw "\\\(?<UserID>\w+)"
gives me the output Raghav