https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65886#M4081 <P>I think it's because there's a hyphen missing inside the innermost square brackets. Try:</P> <PRE><CODE>(?s)--[0-9a-f]+-H--\n.*\[msg \"(?P&lt;msg&gt;[\w\s\/.-]+)\"\] </CODE></PRE> <P>instead. (In case it's hard to see, the difference is 8 characters from the end.)</P> <P>Your previous regex was only looking for letters, numbers, underscores, whitespace, slashes and dots between the double quotes. Hence it didn't match because "CSRF Attack Detected - Missing CSRF Token" has a hyphen in the middle.</P> Tue, 19 Mar 2013 13:01:35 GMT dmr195 2013-03-19T13:01:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65885#M4080 <P>Hi,</P> <P>I extracted a field with Splunk Field Extractor which seemed to work until I noticed it didn't capture all messages (i.e. <STRONG>CSRF Attack Detected - Missing CSRF Token</STRONG>) from ModSecurity.</P> <P>Here some Log msg:<BR /> <PRE><CODE>--f7d234hc-H--<BR /> Message: Warning. Match of "eq 1" against "&amp;ARGS:CSRF_TOKEN" required. [file "/cut/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."]<BR /> Message: Failed to write to DBM file "/tmp/global": Invalid argument<BR /> Apache-Handler: perl-script<BR /> --f7d3t15d-Z--</CODE></PRE></P> <P>This is what the app gave me</P> <PRE><CODE>(?s)--[0-9a-f]+-H--\n.*\[msg \"(?P&lt;msg&gt;[\w\s\/.]+)\"\] </CODE></PRE> <P>Is there something wrong with it? Can it be done more efficiently?</P> <P>Thanks in advance.</P> <P>Cheers<BR /> Mike</P> Mon, 28 Sep 2020 13:32:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65885#M4080 lemikg 2020-09-28T13:32:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65886#M4081 <P>I think it's because there's a hyphen missing inside the innermost square brackets. Try:</P> <PRE><CODE>(?s)--[0-9a-f]+-H--\n.*\[msg \"(?P&lt;msg&gt;[\w\s\/.-]+)\"\] </CODE></PRE> <P>instead. (In case it's hard to see, the difference is 8 characters from the end.)</P> <P>Your previous regex was only looking for letters, numbers, underscores, whitespace, slashes and dots between the double quotes. Hence it didn't match because "CSRF Attack Detected - Missing CSRF Token" has a hyphen in the middle.</P> Tue, 19 Mar 2013 13:01:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65886#M4081 dmr195 2013-03-19T13:01:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65887#M4082 <P>Hi,</P> <P>here are more things to be considered: </P> <P>(a) it seams that the message does not start with a hex-coded ID in hyphens and that "H"<BR /> (b) you aren't getting the whole message text if it contains a hyphen</P> <P>Something like this should work:<BR /> <CODE>(?s)--[0-9a-z]+-[A-Z]--\n.*\[msg \"(?P&lt;msg&gt;[-\w\s\/.]+)\"\]</CODE></P> Tue, 19 Mar 2013 13:10:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65887#M4082 bjoernjensen 2013-03-19T13:10:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65888#M4083 <P>It seems, that did the trick. Thank you very much.</P> Tue, 19 Mar 2013 14:12:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65888#M4083 lemikg 2013-03-19T14:12:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65889#M4084 <P>thanks to you, too. I tried that as well and worked. have a great one.<BR /> cheers<BR /> Mike</P> Tue, 19 Mar 2013 14:13:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65889#M4084 lemikg 2013-03-19T14:13:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65890#M4085 <P>I feel a little guilty that my answer was accepted here, as I missed the first required change. The regex in this answer is the one to use.</P> Wed, 20 Mar 2013 09:29:01 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-with-regex/m-p/65890#M4085 dmr195 2013-03-20T09:29:01Z