rex operation -- Regex: syntax error in subpattern...

apalmier · ‎10-28-2021

Hi,

I'm continuously receiving the error Regex: syntax error in subpattern name (missing terminator) when attempting to search with a 'rex' operation. I've gone through several different message boards and nothing seems to resolve the issue. Any help would be greatly appreciated!

My intention is to grab the "Http-Method" value from the raw event.

Search:

[Search...] | rex field=_raw "Method: (?<Http-Method>.*)"

Sample Event:

2021-10-28 10:55:39,505 1109468116 [http-bio-8443-exec-9] INFO o.a.c.i.LoggingInInterceptor - Inbound Message ----------------------------
ID: 41087
Address: [...Sensitive Information Removed...]

Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application-xml

Headers: [...Sensitive Information Removed...]

richgalloway · ‎10-28-2021

The hyphen (-) character is not allowed in field names. Try this

| rex field=_raw "Method: (?<HttpMethod>\w*)"

---
If this reply helps you, Karma would be appreciated.

PickleRick · ‎10-28-2021

https://www.pcre.org/current/doc/html/pcre2pattern.html#SEC16

In PCRE2, a capture group can be named in one of three ways: (?<name>...) or (?'name'...) as in Perl, or (?P<name>...) as in Python. Names may be up to 32 code units long. When PCRE2_UTF is not set, they may contain only ASCII alphanumeric characters and underscores, but must start with a non-digit. When PCRE2_UTF is set, the syntax of group names is extended to allow any Unicode letter or Unicode decimal digit. In other words, group names must match one of these patterns:

  ^[_A-Za-z][_A-Za-z0-9]*\z   when PCRE2_UTF is not set
  ^[_\p{L}][_\p{L}\p{Nd}]*\z  when PCRE2_UTF is set

rex operation -- Regex: syntax error in subpattern name (missing terminator)

rex

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...