topic Re: Regex not working on splunk for the expression which works well on regex 101 in Splunk Search

Regex not working on splunk for the expression which works well on regex 101

Shariq — Thu, 28 Oct 2021 19:57:40 GMT

i have data as below :

Request-all-Headers = Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https

and working rex below from regex 101 :

IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})

now when I tried the same with splunk. splunk is not able to extract the fields . my splunk query is below :

index=test sourcetype="test"
| rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})"

Re: Regex not working on splunk for the expression which works well on regex 101

jbanAtSplunk — Thu, 28 Oct 2021 20:34:02 GMT

Hi, can you try your original search?

| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno

Re: Regex not working on splunk for the expression which works well on regex 101

Shariq — Thu, 28 Oct 2021 21:00:39 GMT

No , it is still not working in Splunk with real event. i can see the events but the query is not doing anything the make result is something I tried in all ways and it works with make result but not with the query with original event.

| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno

Re: Regex not working on splunk for the expression which works well on regex 101

Shariq — Thu, 28 Oct 2021 21:05:29 GMT

i even tried changing the variable name but no luck

Re: Regex not working on splunk for the expression which works well on regex 101

jbanAtSplunk — Thu, 28 Oct 2021 21:11:22 GMT

Have you tried on _raw filed?
like
rex field=_raw "your_regex"

Re: Regex not working on splunk for the expression which works well on regex 101

Shariq — Thu, 28 Oct 2021 21:20:59 GMT

i did not try _raw earlier but when I did just now,it worked. but still, I am not clear why request-all-header is not working since I can see that this field is getting extracted properly without any rex.

Re: Regex not working on splunk for the expression which works well on regex 101

ITWhisperer — Fri, 29 Oct 2021 12:01:38 GMT

Try putting the field name in single quotes in the rex command

Re: Regex not working on splunk for the expression which works well on regex 101

Shariq — Fri, 29 Oct 2021 20:48:01 GMT

single quote did not worked