Hi,
I have the below regex and Splunk keeps telling me I have a mismatched "[" and for the life of me I can't figure out where
rex field=properties "\"url\":\"[^"]+\/(?<final_segment>[^"?]*)(\?[^\/"]+)?\""
@dbcase, you would need to escape double quotes in the regular expression for SPL.
Try the following run anywhere search:
| makeresults
| eval properties="\"url\":\"https://www.google.com\""
| rex field=properties "\"url\":\"[^\"]+\/(?<final_segment>[^\"?]*)(\?[^\/\"]+)?\""
@dbcase, you would need to escape double quotes in the regular expression for SPL.
Try the following run anywhere search:
| makeresults
| eval properties="\"url\":\"https://www.google.com\""
| rex field=properties "\"url\":\"[^\"]+\/(?<final_segment>[^\"?]*)(\?[^\/\"]+)?\""
Thank you niketnilay! (again) . 🙂