topic Re: How do I construct a regular expression with wildcard matching? in Splunk Search

How do I construct a regular expression with wildcard matching?

dbcase — Thu, 15 Sep 2016 15:24:38 GMT

Hi,

I have data that looks like this

####<Sep 15, 2016 9:35:27 AM CDT> <Debug> <ucontrol> <betamax-cpe1> <managedServer1> <client-8> <<anonymous>> <> <> <1473950127749> <BEA-000000> <org.jivesoftware.util.Log  - SENT: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>> 

####<Sep 15, 2016 10:18:53 AM CDT> <Warning> <ucontrol> <betamax-cpe1> <managedServer1> <smsQueueListenerContainer-1> <<anonymous>> <BEA1-35C7B98CDE9F> <> <1473952733478> <BEA-000000> <fn.service.impl.NumerexSmsSender  - UCE-22233 - Failed to send Numerex sms message to 5555555555> 

####<Sep 15, 2016 10:11:46 AM CDT> <Warning> <ucontrol> <betamax-portal1> <managedServer3> <[ACTIVE] ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1473952306182> <BEA-000000> <fn.webapp.listener.AuthenticationListener  - Authentication Auditing Failed: AuthenticationFailureBadCredentialsEvent>

What I need to do is search on a failure but the failure condition is presented in several ways (i.e. failed: OR failed; OR failed, OR failed. OR <failure

What I need to do is match on failed* OR <failure and then capture to the end of the line.

Still rather new to regex so I'm unsure how to do wildcard matching

Re: How do I construct a regular expression with wildcard matching?

inventsekar — Thu, 15 Sep 2016 15:40:32 GMT

Please check this -

sourcetype=failure | rex field=_raw "<?[fF]ail[eu][dr]?e?[:;,. ](?<failedCode>.*)" | table failedCode _time _raw

Re: How do I construct a regular expression with wildcard matching?

richgalloway — Thu, 15 Sep 2016 15:47:38 GMT

Something like this, perhaps?

... | rex "fail\w*\s*(?<failureMsg>.*)" | ...

Re: How do I construct a regular expression with wildcard matching?

twinspop — Thu, 15 Sep 2016 15:57:07 GMT

... | rex "<?[fF]ail[eu][dr]?e?[:;,. ](?<failure_code>.*)"

Re: How do I construct a regular expression with wildcard matching?

sundareshr — Thu, 15 Sep 2016 16:14:47 GMT

Try this

... | rex "\b(?<failmsg>[Ff]ail.*)"

Re: How do I construct a regular expression with wildcard matching?

dbcase — Thu, 15 Sep 2016 16:28:55 GMT

I have no idea how you do regex so eloquently.... Maybe one day I can do the same.... 🙂

Re: How do I construct a regular expression with wildcard matching?

aaraneta_splunk — Thu, 15 Sep 2016 17:42:46 GMT

Hi @dbcase - Just so you know, I edited your original question to include your revised/correct last sentence instead of having it as a floating comment 🙂