Solved: Re: How to escape double backslash in rex/regex co...

ixixix_spl · ‎09-05-2018

I'm having some serious difficulty in figuring out how to escape a double backslash within the REX/regex spl command..
The following regex works on regex101 "title\\\\\"\:\\\\\"(?<event>[^\)].*)\\\\\"\,\\\\\"selection" when extracting the log snippet below to get the "Button Title" text:

"partyId\":\"lahflkhasdljkflkf\",\"title\”:\”Button Title\”,\”selectionType\":\"button\
I found a suggestion on "Tricky behavior of escaping backslash in regex" to \\ to match a single \ but that didn't do the trick. Anyone have advice on how to escape a double backslash in the rex command, and if so please post the regex below!

Thanks!

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

View solution in original post

sudosplunk · ‎09-05-2018

Hi,

I would use \W - Matches any non-word character

Append this ...| rex field=_raw "title\W+(?<event>[\w\s]+) to your search and let me know if it works.

ixixix_spl · ‎09-05-2018

wow that was quick thanks!!!

How to escape double backslash in rex/regex command?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?