Solved: Why is rex failing to extract a field and getting ...

hcheang · ‎01-06-2015

Hello,

I would like to know if there is any restriction in the rex command because for all the rex field-extractions I've used, they worked fine except for this.

The raw data is something like

Jan 6 99:99:99 255.255.255.255 Authentication failed from 10.0.0.0: user 'BLAH-BLAH\userid' (blah blah)

I've tried couple ways to extract the userid from above such as:

"Authentication failed"|rex "(?i)^[^\\]*\\(?P<userid>[^']+)"    
"Authentication failed"|rex "user\s'\S+\\(?<userid>\w*)'"

but both of them give "Regex: unmatched parentheses" message.

What am I doing wrong? Does Splunk fail to extract a field if too many resources are consumed?

hcheang · ‎01-07-2015

Ok I found the issue. Both queries I have provided above have backslash backslash (?.... and Splunk takes it as backslash(? ...." which is the reason why it kept saying unmatched parentheses.

View solution in original post

Raghav2384 · ‎01-07-2015

|gentimes start=-1 |eval Raw = "'BLAH-BLAH\Raghav'"|rex field=Raw "\\\(?<UserID>\w+)"

gives me the output Raghav

hcheang · ‎01-07-2015

yeap that works as well! thanks!

hcheang · ‎01-07-2015

Ok I found the issue. Both queries I have provided above have backslash backslash (?.... and Splunk takes it as backslash(? ...." which is the reason why it kept saying unmatched parentheses.

hcheang · ‎01-07-2015

|rex "user\s'\w+-?\w+.(?\w+)" works where backslash is replaced by . token

kml_uvce · ‎01-06-2015

use backslash before '

hcheang · ‎01-07-2015

I don't think ' is escaped character but I tried anyways and it is still not working. Any other idea?

Why is rex failing to extract a field and getting error "Regex: unmatched parentheses"?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk