Solved: rex capture groups - windows file name and path

brdr · ‎06-11-2018

I'm attempting to capture 2 groups; a windows path and filename. I've successfully written the rex syntax and it works using strong textregex101.com*strong text* app.

| makeresults
| eval test="C:\WINDOWS\TEMP\ABCDE\HELP_WITHREX_64.EXE"
| rex field=test "(?<Path>^.+\\)(?<File>[^\\]+\.\w+$)"
| table Path File

However, when I use in Splunk I get an error "Regex: missing terminating ] for character class." Any idea why? thx.

xpac · ‎06-11-2018

Yeah, the | rex command is a little tricky, as stuff has to be double-escaped. Try replacing \\ with \\\ - that should work.
Hint: This is usually not necessary in config files, but in searches, as those have to be escaped once for the SPL parser and once for the regex parser.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac · ‎06-11-2018

Yeah, the | rex command is a little tricky, as stuff has to be double-escaped. Try replacing \\ with \\\ - that should work.
Hint: This is usually not necessary in config files, but in searches, as those have to be escaped once for the SPL parser and once for the regex parser.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

brdr · ‎06-11-2018

Ah, thanks xpac...

This is the change, and now works.

 rex field=test "(?<Path>^.+\\\)(?<File>[^\\\]+\.\w+$)"

rex capture groups - windows file name and path

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!