topic Re: I am trying to get URLs out of logs in Splunk. I am getting an error. in Security

I am trying to get URLs out of logs in Splunk. I am getting an error.

infosecowl — Thu, 15 Sep 2016 00:48:50 GMT

my regex query is : xxx.xx.xxx.xxx|regex = (http(s)?:(\/\/)?(w{3}.)?[-a-zA-Z0-9@:%.+~#=]{2,256}(.[a-z]{2,256})?\b([-a-zA-Z0-9@:%+.~#?&\/\/=]*)

The x's are an IP that is also included in the search. I am not disclosing the IP. Sorry

The error is: Error in 'SearchParser': Missing a search command before '-'. Error at position '57' of search query 'search xxx.xx.xxx.xxx|regex = (http(s)?:(\/\/)?(w{...{snipped} {errorcontext = (w{3}.)?[-a-zA-Z0-9@}'.

HELP!!!! I don't understand the error!

Re: I am trying to get URLs out of logs in Splunk. I am getting an error.

sundareshr — Thu, 15 Sep 2016 02:00:39 GMT

To extract a URL without querystring, try this regex. You have too many special chars that need to escaped. Eg: ? s/b \?

(http(s)?[^\?]+)

If you want to include the querystring, then try this

(http(s)?[^\s]+)

Re: I am trying to get URLs out of logs in Splunk. I am getting an error.

cphair — Fri, 13 Jan 2017 18:20:58 GMT

When Splunk says "missing a search command before [some character]", it means the parser got to that character and didn't understand what came next. You could either paste the search into a text editor and manually find character #57, or you could just look for all such characters in your search and try to determine if any of them could be confusing the parser.

In this case, the issue is likely your regex's character set: [-a-zA-Z0-9...]. Even though it's supposed to be legal to lead off the character set with an unescaped hyphen, Splunk does not properly recognize it. You'll need to escape it with a backslash.