All Apps and Add-ons
Highlighted

Splunk_TA_bluecoat-proxysg "Bad regex value" error after upgrade from Splunk 6.2.6 to 6.3.5

Path Finder

Hello,

After we upgraded Splunk to 6.3.5, our SplunkTAbluecoat-proxysg started producing a bad regex error:

btool.log

Bad regex value: '(?[^;]+)', of param: transforms.conf / [bluecoat_categories] / REGEX; why: unrecognized character after (? or (?- transforms.conf

transforms.conf

[bluecoat_categories]
SOURCE_KEY = cs_categories
REGEX = (?[^;]+)
MV_ADD = true

Thanks again!

0 Karma
Highlighted

Re: Splunk_TA_bluecoat-proxysg "Bad regex value" error after upgrade from Splunk 6.2.6 to 6.3.5

Influencer

It's not clear to me from the info provided what the regex will be doing, but it's definitely lot legit. I'd try removing the '?' from the regex and see if you get good results in your searches.

REGEX = ([^;]+)
0 Karma
Highlighted

Re: Splunk_TA_bluecoat-proxysg "Bad regex value" error after upgrade from Splunk 6.2.6 to 6.3.5

Path Finder

That's strange. That transform was taken from https://answers.splunk.com/answers/408911/splunk-add-on-for-blue-coat-proxysg-has-anyone-got.html.

It was a fix for the Bluecoat SGOS 6.6x. extractions.

Here is a sample log entry and the bluecoat category is "Technology/Internet;Non-Viewable/Infrastructure":

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - -
0 Karma
Highlighted

Re: Splunk_TA_bluecoat-proxysg "Bad regex value" error after upgrade from Splunk 6.2.6 to 6.3.5

Influencer

\¯_(ツ)_/¯ It was wrong there too. (?[ is invalid regex. The older splunk must have been more forgiving. Dropping the question mark should make it work.

0 Karma
Highlighted

Re: Splunk_TA_bluecoat-proxysg "Bad regex value" error after upgrade from Splunk 6.2.6 to 6.3.5

Communicator

As someone already mentioned it's difficult to understand what that regex is supposed to be doing. My understanding from the example data and the "bluecoat_categories" stanza you posted is that it should be taking this block of log data:

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - -

And pulling out this value:

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet

But what you're actually looking for is:

Technology/Internet;Non-Viewable/Infrastructure

The regex for extracting that is wrong here and in the link you posted. But it's probably supposed to be this...:

(?:[^;]+)

It is basically saying "Capture everything except a semicolon and then stop" which seems like it wouldn't work that well. So while I think the regex I just posted is the 'correct' regex, I don't think it's very good.

Maybe try this:

^(?:[^ \n]* ){12}\"([^\"]*)\"

Translated this means:

Start at the beginning of the log line. Match everything except spaces and a newline 12 times (I'm assuming a single space is the only delimiter between these columns and doesn't occur in the fields leading up to it... can change it if necessary), at which point capture everything that occurs after a quotation mark before encountering a quotation mark.

0 Karma