The regular expression is correct according to RegExr, but i keep on getting this error
Regex: unmatched parentheses
I am not understanding why my regular expression is not working. Here is what i have in Splunk Search:
rex field=_raw "Member:\W+Security.ID:\W+TARD\\(?<member_added>\S+)"
I just dont see it for whatever reason. Thanks guys
I take it you are trying to escape a backslash character. In that case you need to use 3 backslashes in the rex command like this:
rex field=_raw "Member:\W+Security.ID:\W+TARD\\\(?<member_added>\S+)"
I take it you are trying to escape a backslash character. In that case you need to use 3 backslashes in the rex command like this:
rex field=_raw "Member:\W+Security.ID:\W+TARD\\\(?<member_added>\S+)"
This works, but why? Why does Splunk require three? By my logic I am escaping a backslash - one other backslash should do the trick...