All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

FireEye Error

arkonner
Path Finder
‎05-18-2018 02:02 AM

During the splunk server restart and written into _internal index the error reported below is displayed - seems to be introduced by the default configuration on which the app is provided.

Well, any help you that you could give us to solve the error would be appreaciated.

index=_internal eventtype="splunkd-log" log_level=ERROR

05-17-2018 19:07:52.840 +0200 ERROR SearchOperator:kv - Cannot compile RE \"[\w-.]{1,30})\"\s*(sid=\"(?\d*)")?\s*(stype=\"(?[\w-]{1,30})\")?\" for transform 'EXTRACT-malware-info_for_fireeye': Regex: invalid range in character class

0 Karma
Reply

sriley_splunk
Splunk Employee
Splunk Employee
‎01-21-2020 02:42 PM

I found you need to move the hyphen to the end of your capture group.

[\w\.-]

instead of: 

[\w-\.]

The full line would be:

<malware\sname=\"(?<malware_name>[\w\.-]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?
0 Karma
Reply

Azeemering
Builder
‎05-18-2018 03:16 AM

This means that the regex string in the inline field extraction called malware-info_for_fireeye is deemed not correct.
Go to Settings-->Fields-->Field Extractions.
First thing I would do is check if the regex there has not been modfied from the original app by anyone.

It looks to me like it has been modified maybe?
The original is <malware\sname=\"(?<malware_name>[\w-\.]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?

Second I would use regex101.com or regexr.com to check if the regex string is actually correct and works as design

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...