Splunk Search

negate a backslash in regex without negating other characters

jdbtee
Path Finder

Hi,

I want to create a new field, from a string, showing the domain user, where the only constant is "\" which I don't want included.

Sample input:

(no field either side of "\" is predictable)

12345\alice
45632\__test_account__
PC123\bob

My search:

index="dc_report" | rex field=domain_user "(?<user>^.*\\(.*$))" 

This results in unmatched parentheses. Is there a way to use &#92 (hmtl "\") instead of negation?

The other route is to use the index of "\" and then select to the right. Unsure of what functions to use/how to use them.

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

I didn't really understand you data, but the follwing rex will extract the username part of a domain\user type string. Assuming the field is called "domain_user" and contains the value acme\bob

... | rex field = domain_user "[^\\\\]+\\\\(?<user>.*)"

should extract bob into the field user.

/K

EDIT: corrected the number of backslashes required.

View solution in original post

jdbtee
Path Finder

My solution, although not sure how cpu intensive this is.

index="dc_report"| eval user=mvindex(split(domain_user,"\\"),1)

This splits the x\y on the "\" and then passes the output of the 2nd value (i.e. index starts at 0), using mvindex, to the variable "user".

0 Karma

jdbtee
Path Finder

I'd still like to see this done in regex, but it seems Splunk negates any type of parenthesis proceeding a negated backslash, where the online regex testers are unaffected.

Do functions have a significant overhead compared to regex?

0 Karma

kristian_kolb
Ultra Champion

I didn't really understand you data, but the follwing rex will extract the username part of a domain\user type string. Assuming the field is called "domain_user" and contains the value acme\bob

... | rex field = domain_user "[^\\\\]+\\\\(?<user>.*)"

should extract bob into the field user.

/K

EDIT: corrected the number of backslashes required.

kristian_kolb
Ultra Champion

OOPS. The backslashes need to be escaped twice, i.e. four backslashes.

The search language needs escaping \\\\ -> \\
then rex needs escaping as well \\ -> \

Profit!

/K

0 Karma

jdbtee
Path Finder

Hi,

Your solution still negates the 2nd "]" resulting in the error message "Regex: missing terminating ] for character class"

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...