If you have the Splunk source code, send me a mail PS: I know that SPL sometimes works even without the proper amount of escape backslashes - but sometimes it doesn't. However, in SPL, this would have to be \"Domain \ \ \\user \" - for the reasons above, and because the quotes have a special meaning.Īddendum: When you use the last regex in SPL in the rex command, it gets put into quotes - like | rex "\"Domain \ \ \\User \" ". In SPL this would have to be Domain \ \ \\user - every backslash in the regex needs it's own escape backslash.Įxample 2: You want to match "Domain\user" - the regex would simply be "Domain \\user" - quotes have no special meaning in regex. Now, to avoid strange behaviour when using regexes in your SPL, you need to escape them again.Įxample 1: You want to match Domain\user in your event. However, it uses the same escape character as regex - the backslash. Why? The SPL parser also knows characters with special meaning (e.g. However - the | rex and | regex command is different (well, anything in SPL with regex is). Now, when you have your clean regex - just use it as it is in any. The quote does not have any special meaning in regex, so " has exactly the same effect.Įxample 2: If you wanna match a literal asterisk, it has to be escaped \* - because the asterisk has a special meaning in regex. What is an unnecessary escape backslash? Well, if you remove it, and your regex still works, and the explanation on the right for that part didn't change - it was unnecessary.Įxample 1: \" can be used in regex, but the backslash is unneeded. Just to make sure, because this is likely the most regularly confused topic in Splunk when using regexes.įirst, create a clean regex in - that means, no unnecessary escapes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |