Skip to main content
Question

Regex

  • January 8, 2025
  • 6 replies
  • 64 views
A
Forum|alt.badge.img+7

How am I supposed to check if a UDM field ends with $. 

Note that the $ symbol can be present anywhere. but I only want to check if it is in the end. 
Can somebody help.









@jstoner 

6 replies

cmmartin_google
Staff
Forum|alt.badge.img+11
hostname = /\\$$/

 

  • /: The forward slashes at the beginning and end are delimiters. They mark the start and end of the regular expression pattern.
  • \\$: The dollar sign ($) usually has a special meaning in regular expressions: it signifies the end of a string (or the end of a line in multiline mode). However, here it is preceded by a backslash (\\). This backslash is an escape character. It tells the regex engine to treat the following dollar sign as a literal character, not as the special end-of-string anchor.
  • $: As mentioned before, the dollar sign without an escape character would normally match the end of a string. Here it's escaped, so it's just looking for a dollar sign.
  • $ (at the end): This is the special character $, which is not escaped, acting as the end-of-string anchor.

(explanation courtesy of Gemini)

 

A
Forum|alt.badge.img+7
  • anurag.q.singhBronze 2
  • Author
  • Bronze 2
  • January 8, 2025


This is the error I am getting : 

 

tokenizing: unable to tokenize: invalid char escape
cmmartin_google
Staff
Forum|alt.badge.img+11


This is the error I am getting : 

 

tokenizing: unable to tokenize: invalid char escape

It is recommended to use single quotes with re.regex 

re.regex($e.target.hostname, `\\$$`)

If you use double quotes you then need to escape your escape characters:

re.regex($e.target.hostname, "\\\\$$")
jstoner
jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • January 8, 2025

@cmmartin_google summed it up neatly above but I will share a blog I wrote on re.regex for future reference. I took a look at trying to use double quotes for something rather than the backtick, but the last 4 paragraphs hopefully provide a nice visual why going with backticks is going to be a better way forward...

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Matching-with-Regular-Expression-Functions/ba-p/724857

 

cmmartin_google
G
Forum|alt.badge.img+1

Hello all,
@anurag.q.singh  Google SecOps recently released a new function that can validate whether a string ends with a specific character, such as “$”

strings.ends_with(value, suffix)
events:
    $e.metadata.product_event_type = "4723" or $e.metadata.product_event_type = "4724"
    $e.metadata. vendor_name = "Microsoft"
    $e.target.user.userid = $targetUser
    $e.principal.user.userid = $sourceUser
    $e.principal.hostname = $hostname
    not strings.ends_with($sourceUser, "$")

 

You can find the documentation here.

https://cloud.google.com/chronicle/docs/yara-l/functions#stringsends_with
AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • November 13, 2025

Hi ​@anurag.q.singh,

 

As alternative to strings.ends_with, you could put the value in a ‘[‘ ‘]’ which should work, for example:

principal.user.user.id = /test[$]$/

 

Kind Regards,

Ayman

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.