All Apps and Add-ons

Splunk_TA_bluecoat-proxysg "Bad regex value" error after upgrade from Splunk 6.2.6 to 6.3.5

pjohnson1
Path Finder

Hello,

After we upgraded Splunk to 6.3.5, our Splunk_TA_bluecoat-proxysg started producing a bad regex error:

btool.log

Bad regex value: '(?[^;]+)', of param: transforms.conf / [bluecoat_categories] / REGEX; why: unrecognized character after (? or (?- transforms.conf

transforms.conf

[bluecoat_categories]
SOURCE_KEY = cs_categories
REGEX = (?[^;]+)
MV_ADD = true

Thanks again!

0 Karma

michael_sleep
Communicator

As someone already mentioned it's difficult to understand what that regex is supposed to be doing. My understanding from the example data and the "bluecoat_categories" stanza you posted is that it should be taking this block of log data:

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - -

And pulling out this value:

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet

But what you're actually looking for is:

Technology/Internet;Non-Viewable/Infrastructure

The regex for extracting that is wrong here and in the link you posted. But it's probably supposed to be this...:

(?:[^;]+)

It is basically saying "Capture everything except a semicolon and then stop" which seems like it wouldn't work that well. So while I think the regex I just posted is the 'correct' regex, I don't think it's very good.

Maybe try this:

^(?:[^ \n]* ){12}\"([^\"]*)\"

Translated this means:

Start at the beginning of the log line. Match everything except spaces and a newline 12 times (I'm assuming a single space is the only delimiter between these columns and doesn't occur in the fields leading up to it... can change it if necessary), at which point capture everything that occurs after a quotation mark before encountering a quotation mark.

0 Karma

twinspop
Influencer

It's not clear to me from the info provided what the regex will be doing, but it's definitely lot legit. I'd try removing the '?' from the regex and see if you get good results in your searches.

REGEX = ([^;]+)
0 Karma

pjohnson1
Path Finder

That's strange. That transform was taken from https://answers.splunk.com/answers/408911/splunk-add-on-for-blue-coat-proxysg-has-anyone-got.html.

It was a fix for the Bluecoat SGOS 6.6x. extractions.

Here is a sample log entry and the bluecoat category is "Technology/Internet;Non-Viewable/Infrastructure":

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - -
0 Karma

twinspop
Influencer

\¯_(ツ)_/¯ It was wrong there too. (?[ is invalid regex. The older splunk must have been more forgiving. Dropping the question mark should make it work.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...