Splunk Search

negate a backslash in regex without negating other characters

jdbtee
Path Finder

Hi,

I want to create a new field, from a string, showing the domain user, where the only constant is "\" which I don't want included.

Sample input:

(no field either side of "\" is predictable)

12345\alice
45632\__test_account__
PC123\bob

My search:

index="dc_report" | rex field=domain_user "(?<user>^.*\\(.*$))" 

This results in unmatched parentheses. Is there a way to use &#92 (hmtl "\") instead of negation?

The other route is to use the index of "\" and then select to the right. Unsure of what functions to use/how to use them.

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

I didn't really understand you data, but the follwing rex will extract the username part of a domain\user type string. Assuming the field is called "domain_user" and contains the value acme\bob

... | rex field = domain_user "[^\\\\]+\\\\(?<user>.*)"

should extract bob into the field user.

/K

EDIT: corrected the number of backslashes required.

View solution in original post

jdbtee
Path Finder

My solution, although not sure how cpu intensive this is.

index="dc_report"| eval user=mvindex(split(domain_user,"\\"),1)

This splits the x\y on the "\" and then passes the output of the 2nd value (i.e. index starts at 0), using mvindex, to the variable "user".

0 Karma

jdbtee
Path Finder

I'd still like to see this done in regex, but it seems Splunk negates any type of parenthesis proceeding a negated backslash, where the online regex testers are unaffected.

Do functions have a significant overhead compared to regex?

0 Karma

kristian_kolb
Ultra Champion

I didn't really understand you data, but the follwing rex will extract the username part of a domain\user type string. Assuming the field is called "domain_user" and contains the value acme\bob

... | rex field = domain_user "[^\\\\]+\\\\(?<user>.*)"

should extract bob into the field user.

/K

EDIT: corrected the number of backslashes required.

kristian_kolb
Ultra Champion

OOPS. The backslashes need to be escaped twice, i.e. four backslashes.

The search language needs escaping \\\\ -> \\
then rex needs escaping as well \\ -> \

Profit!

/K

0 Karma

jdbtee
Path Finder

Hi,

Your solution still negates the 2nd "]" resulting in the error message "Regex: missing terminating ] for character class"

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...