What is wrong with this rex?? This is the rex that the system gives me when I do a extract fields option.
index=x ... | rex "^(?:[^"\n]*"){3}(?P<index_ks>[^"]+)"
I am getting
Mismatched ']'.
when I do the search.
This is the regex working here
https://regex101.com/r/LxVFbf/1
Another way to write it is like this, although not as generic:
index=* | rex "index="(?P<index_ks>.*)";"
which works see here:
https://regex101.com/r/YCn7h6/1
However, the result single quotes at start and end e.g. 'result1' 'result2'
in Splunk, but not in the regex101 example.
Would like to understand this better.
It is necessary to escape double quotes.
ex.
| rex "^(?:[^\"\n]*\"){3}(?P
Here is the search with rex. I am lost why it's not working to exact the user.
index=ldap sourcetype="ldap:audit"
| rex "\s\w{2}=\w\d(?<user>[^,]+)"
| stats count by user
Here is the event string:
time: 20200423225406
result: 0
changetype: modify
replace: lastLoginTime
lastLoginTime: 20200423225402Z
modifiersName: cn=g5-bdent,ou=srveauth,dc=june,dc=gov
Your spl line of rex
is getting interpreted as below which is making it see it as a misplaced quote after two pairs of quotes:
index=x ... | rex
"^(?:[^"
\n]*
"){3}(?P<index_ks>[^"
]+)"
Like @HiroshiSatoh mentioned the quotes shall be escaped like \"
to make it as index=x ... | rex "^(?:[^\"\n]*\"){3}(?P<index_ks>[^\"]+)"
if you feel your regex is working fine on regex101.
It is necessary to escape double quotes.
ex.
| rex "^(?:[^\"\n]*\"){3}(?P