Solved: Why is the following regex expression not matching...

SunilMaharishi · ‎09-17-2018

I have a field user= xyz\user11 and i need to match user11 ignoring xyz in the user filed

below is the regex expression we have been trying but it gives error as unmatched parenthesis or some other and Result field is not available in the logs if it runs successfully .

rex field=user (?\w+\\(\w+))

pjnike · ‎09-17-2018

You have to specify which field to extract the value to. Also, the backslash(\) before opening parenthesis in your query escapes the ( which causes Splunk to give an error of unmatched parenthesis. You need to escape the backslash with \.

Try this: rex field=user "\w+\\\(?<user_name>\w+)"

View solution in original post

richgalloway · ‎09-17-2018

We can't read your rex string because the forum mangled it. To prevent this, put code, HTML, and SPL inside backticks or use the code button (101010).

Backslashes require extra escape characters in regex strings within SPL. Try rex field=user "\\\(?<Result>.*)".

---
If this reply helps you, Karma would be appreciated.

pjnike · ‎09-17-2018

You have to specify which field to extract the value to. Also, the backslash(\) before opening parenthesis in your query escapes the ( which causes Splunk to give an error of unmatched parenthesis. You need to escape the backslash with \.

Try this: rex field=user "\w+\\\(?<user_name>\w+)"

SunilMaharishi · ‎09-17-2018

that was mistyped fieldname was specified though

but it is working now thank you

Why is the following regex expression not matching as expected?

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI