Solved: How to escape double backslash in rex/regex comman...

ixixix_spl · ‎09-05-2018

I'm having some serious difficulty in figuring out how to escape a double backslash within the REX/regex spl command..
The following regex works on regex101 "title\\\\\"\:\\\\\"(?<event>[^\)].*)\\\\\"\,\\\\\"selection" when extracting the log snippet below to get the "Button Title" text:

"partyId\":\"lahflkhasdljkflkf\",\"title\”:\”Button Title\”,\”selectionType\":\"button\
I found a suggestion on "Tricky behavior of escaping backslash in regex" to \\ to match a single \ but that didn't do the trick. Anyone have advice on how to escape a double backslash in the rex command, and if so please post the regex below!

Thanks!

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

View solution in original post

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

ixixix_spl · ‎09-05-2018

wow that was quick thanks!!!

How to escape double backslash in rex/regex command?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms