Solved: Rex not working for special characters

jravida · ‎09-19-2014

Hi Folks,

I've worked out a regex to pull out group names from audit logs. It works for one field with no special characters, but in another, more elaborated field, my rex becomes confused.
Example

|rex "\w+ added to (?"EXTRACTION SHOULD BE HERE BUT SPLUNK.com FILTERS THE TAGS"\w+) in the \w+"

"Member Bill added to Mail Admin in the Restricted Groups Policy PostOffice"

works fine, but when it becomes more complex I am not sure how to have the rex query ignore all the special characters that may show up

"Member Bill added to Mail Admin in the Restricted Groups Policy (SLASHES)K12\\DC5000Dallas [WEDT] Mail Admin"

This turns up nothing. So basically I want to eliminate the slashes (that don't show up here oddly) and [] that get mixed in, just ignore after the group name extraction. Thanks in advance!

Edit, splunk filters out the tags so the rex looks weird but I'm using the correct named extration

somesoni2 · ‎09-19-2014

Try this

|rex "(\w+\s)+added to (?<myField>.*) in the"

View solution in original post

somesoni2 · ‎09-19-2014

Try this

|rex "(\w+\s)+added to (?<myField>.*) in the"

ppablo · ‎09-19-2014

There's a reason @somesoni2 is always the #1 or #2 ranked user on Answers 😜

sk314 · ‎09-19-2014

that was fast! didn't see it before I posted a somewhat similar regex!!

jravida · ‎09-19-2014

Thanks for the fast response! I was a bit more off than I though!

jravida · ‎09-19-2014

I just want to pull out "Mail Admin" and discard the rest

sk314 · ‎09-19-2014

could you specify what would be the correct extraction in the last example (the one with [WEDT])?

Rex not working for special characters

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases