https://community.splunk.com/t5/Splunk-Search/regex-is-working-in-cisco-asa-add-on-but-get-error-if-the-same/m-p/517045#M145357 <P>According to regex101.com, there are two incomplete capture groups. Adding a couple of parentheses solves this but I am not sure if they are in the right place for what you are trying to extract</P><P>| regex "\s+(?:from|for|src(?! user)) (?:(\S+):)[\w-]*?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(\w+))?<U><STRONG><FONT color="#FF0000">(?:</FONT></STRONG></U>\((?:([\S^\]+)\)?([\w\-_]+)\))?<FONT color="#00FF00"><STRONG>)</STRONG></FONT>\s*\(?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(\d+)?\)?\s*<U><STRONG><FONT color="#FF0000">(?:</FONT></STRONG></U>\((?:([\S^\]+)\)?([\w\-_]+)\))?<FONT color="#00FF00"><STRONG>)</STRONG></FONT>"</P> Mon, 31 Aug 2020 15:19:53 GMT ITWhisperer 2020-08-31T15:19:53Z https://community.splunk.com/t5/Splunk-Search/regex-is-working-in-cisco-asa-add-on-but-get-error-if-the-same/m-p/517034#M145354 <P>Hello</P><P>I have the following regex from cisco asa add-on default transforms.conf:</P><P><BR />[cisco_source_ipv4]<BR />REGEX = \s+(?:from|for|src(?! user)) (?:(\S+):)[\w-]*?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(\w+))?(?:\((?:([\S^\\]+)\\)?([\w\-_]+)\))?\s*\(?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(\d+)?\)?\s*(?:\((?:([\S^\\]+)\\)?([\w\-_]+)\))?<BR />FORMAT = src_zone::$1 src_ip::$2 src_port::$3 src_nt_domain::$4 src_user::$5 src_translated_ip::$6 src_translated_port::$7 src_nt_domain::$8 src_user::$9</P><P>&nbsp;</P><P>The issue is that If I try to run the regex from UI, I get error :<BR /><SPAN>Error in 'SearchOperator:regex': The regex '\s+(?:from|for|src(?! user)) (?:(\S+):)[\w-]*?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(\w+))?(?:\((?:([\S^\]+)\)?([\w\-_]+)\))?\s*\(?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(\d+)?\)?\s*(?:\((?:([\S^\]+)\)?([\w\-_]+)\))?' is invalid. Regex: missing closing parenthesis.</SPAN></P><P><BR />The add-on is working fine as well as search time field extraction so obviously the regex is working fine from transforms.conf but not in UI using regex command.</P><P>Someone can help?</P> Mon, 31 Aug 2020 13:46:16 GMT https://community.splunk.com/t5/Splunk-Search/regex-is-working-in-cisco-asa-add-on-but-get-error-if-the-same/m-p/517034#M145354 net1993 2020-08-31T13:46:16Z https://community.splunk.com/t5/Splunk-Search/regex-is-working-in-cisco-asa-add-on-but-get-error-if-the-same/m-p/517045#M145357 <P>According to regex101.com, there are two incomplete capture groups. Adding a couple of parentheses solves this but I am not sure if they are in the right place for what you are trying to extract</P><P>| regex "\s+(?:from|for|src(?! user)) (?:(\S+):)[\w-]*?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})(?:\/(\w+))?<U><STRONG><FONT color="#FF0000">(?:</FONT></STRONG></U>\((?:([\S^\]+)\)?([\w\-_]+)\))?<FONT color="#00FF00"><STRONG>)</STRONG></FONT>\s*\(?(\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3})?\/?(\d+)?\)?\s*<U><STRONG><FONT color="#FF0000">(?:</FONT></STRONG></U>\((?:([\S^\]+)\)?([\w\-_]+)\))?<FONT color="#00FF00"><STRONG>)</STRONG></FONT>"</P> Mon, 31 Aug 2020 15:19:53 GMT https://community.splunk.com/t5/Splunk-Search/regex-is-working-in-cisco-asa-add-on-but-get-error-if-the-same/m-p/517045#M145357 ITWhisperer 2020-08-31T15:19:53Z https://community.splunk.com/t5/Splunk-Search/regex-is-working-in-cisco-asa-add-on-but-get-error-if-the-same/m-p/517160#M145399 <P>Which regex do you see errors for ? The first one or the one I have paste from the error? Because I noticed now that this one from the error is slightly different from the original and if I paste it in regex101 , then yes, there is error but as far as I see there is no error in the original regex if pasted in regex101, isn't that correct?</P><P>Its strange why splunk has changes on the regex by itself , I guess this is where the error is coming from . Maybe these escaping char makes some bad things ?</P> Tue, 01 Sep 2020 06:44:39 GMT https://community.splunk.com/t5/Splunk-Search/regex-is-working-in-cisco-asa-add-on-but-get-error-if-the-same/m-p/517160#M145399 net1993 2020-09-01T06:44:39Z