topic Re: Splunk Regex - Works in regex101 but not Splunk in Splunk Search

Splunk Regex - Works in regex101 but not Splunk

JacobCarrell — Tue, 29 Sep 2020 16:24:55 GMT

I've got a regex that's working in Regex101's editor, but when I paste it into Splunk I get garbage or no results:
Regex:

^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)

Sample entries:
Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349
Oct 24 18:28:54 openvpn[21337]: 66.103.224.123:50873 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:50873

URL:
https://regex101.com/r/by1mOW/7

Re: Splunk Regex - Works in regex101 but not Splunk

JacobCarrell — Wed, 25 Oct 2017 01:02:59 GMT

Forgot to add, Here's what Splunk captures for the IP:
Initiated with [AF_INET]66.103.224.123

Re: Splunk Regex - Works in regex101 but not Splunk

gcusello — Wed, 25 Oct 2017 07:57:46 GMT

Hi
why you say that doesn't run on Splunk?
I tried this

index=_internal  
|head 1 
| eval ppp="Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349" 
| rex field=ppp "^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)" 
| table username IP

And I have

username    IP
username    66.103.224.123

Bye.
Giuseppe

Re: Splunk Regex - Works in regex101 but not Splunk

JacobCarrell — Wed, 25 Oct 2017 16:51:29 GMT

Thanks, I didn't know you could do this. It turns out I'm using an app that provides predefined sourcetypes. I ran out of oomph last night after rewriting the regex to grab the IP from the first IP and STILL getting the same results, so somewhere in one of my props.conf or transforms.conf is a bad regex. I'll have to track it down tonight.

For the record, this is syslogs from PFSense.