topic Regex working on regex101 but not in Splunk in Splunk Search

Regex working on regex101 but not in Splunk

jwalzerpitt — Tue, 07 May 2019 20:21:53 GMT

I have some ADFS logs that I'm trying to pull the IPs from. My regex is as follows:

(?:(^Token\sType):\s*(?:\n(?!Client IP:).*)+\nClient IP:\s*\n|\G)(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})(?:[,\s]|$)

I tested the regex against an ADFS event on regex101 - link text successfully.

However, pasting into Splunk, the IPs aren't being pulled out as the adfs_src field

Any help would be greatly appreciated

Thx

MuS — Tue, 07 May 2019 20:28:16 GMT

Hi jwalzerpitt,

Try to make it work using the rex command in Splunk, and start with a simplified regex like this:

.... | rex "Client IP:\s+\n|\G(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})(?:[,\s]|$)"

Once this works, work your way back to add more criteria to the regex.

cheers, MuS

jwalzerpitt — Tue, 07 May 2019 20:40:01 GMT

I simplified as follows and it worked like a charm - thx MuS!

(Client IP:\s*\n|\G)(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})(?:[,\s]|$)

MuS — Tue, 07 May 2019 20:50:07 GMT

Nice, converted to answer. Please accept 🙂

cheers, MuS

woodcock — Wed, 08 May 2019 01:38:12 GMT

You have both the global and multiline flags set so you need to ensure that these are set in Splunk, too. Try this:

 .... | rex max_match=0 "(?ms)Client IP:\s+\n|\G(?<adfs_src>(?:\d{1,3}\.){3}\d{1,3})(?:[,\s]|$)"

jwalzerpitt — Wed, 08 May 2019 12:28:31 GMT

That worked as well - thx