Splunk Search

regex not working

reverse
Contributor

https://regex101.com/r/PNYxi2/2

not working in splunk.

Error in 'rex' command: Encountered the following error while compiling the regex '(?<v1>.+:\.+?\(.+?)\.+)': Regex: unmatched closing parenthesis
0 Karma
1 Solution

Vijeta
Influencer

@reverse - A backslash seems to be misplaced in your expression. It should be '(?<v1>.+:\.+?\(.+?\).+)':

View solution in original post

Vijeta
Influencer

@reverse - A backslash seems to be misplaced in your expression. It should be '(?<v1>.+:\.+?\(.+?\).+)':

jazzypai
Path Finder

Try out the following as for regex101.com

(?<drive>\w)\:\\(?<first>[\w]+)\\(?<second>[\w]+)\\(?<third>[\w]+)\\(?<filename>[\d\w\.]+)

Try this out in splunk;

 | rex field=string "(?<drive>\w)\:\\\(?<first>[\w]+)\\\(?<second>[\w]+)\\\(?<third>[\w]+)\\\(?<filename>[\d\w\.]+)"

This will parse the entire path that you listed.

saurabhkharkar
Path Finder

what are you trying to parse ?

0 Karma

reverse
Contributor

I want to extract DEF.

0 Karma

reverse
Contributor
0 Karma

jazzypai
Path Finder

Do you want to extract DEF or do you want to extract the name of the second directory, where DEF is located?

0 Karma

reverse
Contributor

name of the second directory

0 Karma

saurabhkharkar
Path Finder
| makeresults
| eval string ="c:\ABC\DEF\LOGS\1.LOG"
| rex field=string ".*?\\\\\w+\\\(?<extract_attribute>\w+).+"
| table string extract_attribute
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...