Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: rex not working as expected
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is wrong with this rex?? This is the rex that the system gives me when I do a extract fields option.
index=x ... | rex "^(?:[^"\n]*"){3}(?P<index_ks>[^"]+)"
I am getting
Mismatched ']'. when I do the search.
This is the regex working here
https://regex101.com/r/LxVFbf/1
Another way to write it is like this, although not as generic:
index=* | rex "index="(?P<index_ks>.*)";"
which works see here:
https://regex101.com/r/YCn7h6/1
However, the result single quotes at start and end e.g. 'result1' 'result2' in Splunk, but not in the regex101 example.
Would like to understand this better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is necessary to escape double quotes.
ex.
| rex "^(?:[^\"\n]*\"){3}(?P
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the search with rex. I am lost why it's not working to exact the user.
index=ldap sourcetype="ldap:audit"
| rex "\s\w{2}=\w\d(?<user>[^,]+)"
| stats count by user
Here is the event string:
time: 20200423225406
result: 0
changetype: modify
replace: lastLoginTime
lastLoginTime: 20200423225402Z
modifiersName: cn=g5-bdent,ou=srveauth,dc=june,dc=gov
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your spl line of rex is getting interpreted as below which is making it see it as a misplaced quote after two pairs of quotes:
index=x ... | rex "^(?:[^" \n]* "){3}(?P<index_ks>[^" ]+)"
Like @HiroshiSatoh mentioned the quotes shall be escaped like \" to make it as index=x ... | rex "^(?:[^\"\n]*\"){3}(?P<index_ks>[^\"]+)" if you feel your regex is working fine on regex101.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is necessary to escape double quotes.
ex.
| rex "^(?:[^\"\n]*\"){3}(?P
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
