topic Re: Regex command causing the search to not work - unknown search command in Splunk Search

Regex command causing the search to not work - unknown search command

ssjabid — Wed, 18 Sep 2019 11:22:10 GMT

Hi People,

I am trying to run a regex command to cut out a part of the REQ field,
On regex 101 it is working fine, however on Splunk it is causing problems and i get an unknown search command error

Here is the query i am using,

index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" 
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page

I do not want the regex command to cut out pages with numbers in them, so i've included [^0-9] in there which works on regex 101 but Splunk does not like it, even when i use a backslash to block it out but it still doesn't pull out the data,

I've also tried using

index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" 
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?<page>[a-zA-Z_]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page

but this gives me the unknown search command :a error

Any help would be greatly appreciated,
Thanks

Re: Regex command causing the search to not work - unknown search command

kamlesh_vaghela — Wed, 18 Sep 2019 11:42:33 GMT

@ssjabid

Can you please share sample data???

Re: Regex command causing the search to not work - unknown search command

ssjabid — Wed, 18 Sep 2019 11:47:32 GMT

REQ="././././switches" EVC="EVT_TRACE" EID="securityfilter.request" DIP="" CLS="" 4ReqURI="///*/api/v1/switches"

so i am trying to capture the switches part in REQ however sometimes when a log appears with a number would appear instead, i would like to ignore that, but [^0-9] doesn't happen to work

Re: Regex command causing the search to not work - unknown search command

gcusello — Wed, 18 Sep 2019 12:19:34 GMT

Hi ssjabid,
did you tried with quotes in rex command?

| rex "REQ\=\".*\/(?<page>\w*[^0-9]+(\.jsp)?)\/?\""

Optiion field=_raw isn't important.

Bye.
Giuseppe

Re: Regex command causing the search to not work - unknown search command

janispelss — Wed, 18 Sep 2019 12:47:21 GMT

The rex command requires quotation marks around the regex expression.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Required_arguments

Re: Regex command causing the search to not work - unknown search command

ssjabid — Wed, 18 Sep 2019 15:01:15 GMT

Managed to get it working 🙂 this did help! thank you!