- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- negate a backslash in regex without negating other...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to create a new field, from a string, showing the domain user, where the only constant is "\" which I don't want included.
Sample input:
(no field either side of "\" is predictable)
12345\alice
45632\__test_account__
PC123\bob
My search:
index="dc_report" | rex field=domain_user "(?<user>^.*\\(.*$))"
This results in unmatched parentheses. Is there a way to use \ (hmtl "\") instead of negation?
The other route is to use the index of "\" and then select to the right. Unsure of what functions to use/how to use them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't really understand you data, but the follwing rex will extract the username part of a domain\user type string. Assuming the field is called "domain_user" and contains the value acme\bob
... | rex field = domain_user "[^\\\\]+\\\\(?<user>.*)"
should extract bob into the field user.
/K
EDIT: corrected the number of backslashes required.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My solution, although not sure how cpu intensive this is.
index="dc_report"| eval user=mvindex(split(domain_user,"\\"),1)
This splits the x\y on the "\" and then passes the output of the 2nd value (i.e. index starts at 0), using mvindex, to the variable "user".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd still like to see this done in regex, but it seems Splunk negates any type of parenthesis proceeding a negated backslash, where the online regex testers are unaffected.
Do functions have a significant overhead compared to regex?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't really understand you data, but the follwing rex will extract the username part of a domain\user type string. Assuming the field is called "domain_user" and contains the value acme\bob
... | rex field = domain_user "[^\\\\]+\\\\(?<user>.*)"
should extract bob into the field user.
/K
EDIT: corrected the number of backslashes required.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OOPS. The backslashes need to be escaped twice, i.e. four backslashes.
The search language needs escaping \\\\ -> \\
then rex needs escaping as well \\ -> \
Profit!
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Your solution still negates the 2nd "]" resulting in the error message "Regex: missing terminating ] for character class"
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
