Solved: Re: rex not working as expected

HattrickNZ · ‎09-10-2017

What is wrong with this rex?? This is the rex that the system gives me when I do a extract fields option.

index=x ... | rex "^(?:[^"\n]*"){3}(?P<index_ks>[^"]+)"
I am getting
Mismatched ']'. when I do the search.

This is the regex working here
https://regex101.com/r/LxVFbf/1

Another way to write it is like this, although not as generic:
index=* | rex "index="(?P<index_ks>.*)";"
which works see here:
https://regex101.com/r/YCn7h6/1

However, the result single quotes at start and end e.g. 'result1' 'result2' in Splunk, but not in the regex101 example.

Would like to understand this better.

HiroshiSatoh · ‎09-10-2017

It is necessary to escape double quotes.

ex.
| rex "^(?:[^\"\n]*\"){3}(?P[^\"]+)"

View solution in original post

youngsuh · ‎04-23-2020

Here is the search with rex. I am lost why it's not working to exact the user.

index=ldap sourcetype="ldap:audit" 
| rex "\s\w{2}=\w\d(?<user>[^,]+)" 
| stats count by user

Here is the event string:

time: 20200423225406
result: 0
changetype: modify
replace: lastLoginTime
lastLoginTime: 20200423225402Z
modifiersName: cn=g5-bdent,ou=srveauth,dc=june,dc=gov

gokadroid · ‎09-10-2017

Your spl line of rex is getting interpreted as below which is making it see it as a misplaced quote after two pairs of quotes:
index=x ... | rex "^(?:[^" \n]* "){3}(?P<index_ks>[^" ]+)"

Like @HiroshiSatoh mentioned the quotes shall be escaped like \" to make it as index=x ... | rex "^(?:[^\"\n]*\"){3}(?P<index_ks>[^\"]+)" if you feel your regex is working fine on regex101.

HiroshiSatoh · ‎09-10-2017

It is necessary to escape double quotes.

ex.
| rex "^(?:[^\"\n]*\"){3}(?P[^\"]+)"

rex not working as expected

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio