topic Re: Regex field != expression not matching in Splunk Search

Regex field != expression not matching

raghav130593 — Thu, 09 Feb 2017 00:19:32 GMT

I have a query where I am performing regex matching on two different fields, field1 and field2. index=proxylogs uri!=aa.*|regex field1=".*abc\..*|.*api\..*"|regex field2!="(?i)abc\\xyz[a-z0-9]{5}|(?i)abc\\kkr[a-z0-9]{6}"|.... Field 1 matches with the regex pattern and provides results that have matching values. However, field 2 doesn't work as I am getting the results that do match the regex of field2 and not discarding them. According to the '!=', the values that match that particular regex shouldn't be present in the result of the query, but they are. So, it isn't working as it supposed to. I have tested the regex elsewhere and it is correct. Any ideas?

Re: Regex field != expression not matching

lquinn — Thu, 09 Feb 2017 00:32:54 GMT

Can you post an example event please? One that should be filtered out by the second regex command but is not?

Re: Regex field != expression not matching

raghav130593 — Thu, 09 Feb 2017 00:42:44 GMT

I used stats in the query so I have a statistics table with selected fields. So, an example of the result which shouldn't be there would be
field1 field2
api.twitter.com ABC\xyz1aul4

This should ideally be avoided since it matches the second field's regex but it hasn't

Re: Regex field != expression not matching

gvmorley — Thu, 09 Feb 2017 06:39:03 GMT

Hi,

I think you may need to double-escape the backslash in your second regex. As a test, I tried this:

| makeresults
| eval field1="api.twitter.com"
| eval field2="ABC\xyz1aul4"
| regex field2!="(?i)abc\\\xyz[a-z0-9]{5}"

Which worked (i.e. it returned no results).

Likewise just invert the logic to see if it does match:

| regex field2="(?i)abc\\\xyz[a-z0-9]{5}"

See if that does it.

Re: Regex field != expression not matching

raghav130593 — Tue, 14 Feb 2017 01:50:07 GMT

Yup. That worked. Thanks.