Splunk Search

After upgrading from 5.0 to 6.4, getting a regex error issue at startup related to dashes, i think

gozulin
Communicator

Bad regex value: '(?i) .*? (?P<foo-bar>\[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+)(?= )', of param: props.conf / [wsp-prod] / EXTRACT-foo-bar; why: unrecognized character after (?P

Bad regex value: '(?i) .*? (?P[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )', of param: props.conf / [wsp-prod] / EXTRACT-foo-bar; why: unrecognized character after (?P

the regex is:

EXTRACT-foo-bar = (?i) .*? (?P<foo-bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )

Thanks!

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

I use http://www.RegEx101.com to validate. It shows many errors. I made some guesses (You did not give us any event text to use to validate the RegEx so we can only guess). Try this:

(?i) .*? (?<foo_bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )

The problem is the hyphen in the name. Splunk, does not allow this (the same as all PCRE engines). You can do it with an underscore and then at search time you can rename it like this:

| rename foo_bar AS foo-bar

You might also be able to create a Field Alias but it is unclear whether the hyphen will be tolerated there (worth a try):

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Addaliasestofields

View solution in original post

woodcock
Esteemed Legend

I use http://www.RegEx101.com to validate. It shows many errors. I made some guesses (You did not give us any event text to use to validate the RegEx so we can only guess). Try this:

(?i) .*? (?<foo_bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )

The problem is the hyphen in the name. Splunk, does not allow this (the same as all PCRE engines). You can do it with an underscore and then at search time you can rename it like this:

| rename foo_bar AS foo-bar

You might also be able to create a Field Alias but it is unclear whether the hyphen will be tolerated there (worth a try):

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Addaliasestofields

skoelpin
SplunkTrust
SplunkTrust

You need to include <NAME> after the ?P

It should look like this
EXTRACT-StatusCode=<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>

woodcock
Esteemed Legend

If you leave a blank like after your introduction text here vvvvvv

<--- And then leave 4 lines before your text here
Then you will have a code segment created that will not be modified in any way.
0 Karma

gozulin
Communicator

The actual regex is altered when I copy paste it...There is a [foo-bar] after the P. (replace the square brackets with "Less Than" and "Greater Than" symbols . It's just not showing up because of the way this website parses comments...

Update: figured out how to insert code...

EXTRACT-foo-bar = (?i) .*? (?P<foo-bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

EXTRACT-foo-bar = (?i) .*? (?P<NAME>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )

0 Karma

gozulin
Communicator

That's exactly how I have it, only instead of the string NAME, it's the string foo-bar .

How are you able to type greater than and less than symbols with a word in between. When I do it, they and the word inside them disappear when I post my comment.

Lemme try this again: Remove the spaces before and after the foo-bar string to get my actual text:

EXTRACT-foo-bar = (?i) .*? (?P< foo-bar >[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Use the tics (ctrl + ~)

If the above extraction doesn't work then you can try extracting the field at search time..

It also looks like you have an uneven amount of parenthesis

0 Karma

gozulin
Communicator

The last parenthesis was a type, this is the full query. There are 4 parentheses total:

Remove the spaces before and after the foo-bar string to get my actual text:

EXTRACT-foo-bar = (?i) .*? (?P < foo-bar > [a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You need to wrap your expression with parenthesis.. The lookahead needs to have a parenthesis after it.. I'd also recommend ditching the spaces

Also, why not extract the field at search time? This will allow you test test your regular expression without having to restart your indexer service each time

0 Karma

gozulin
Communicator

There are no spaces in the actual query. I just don't know enough about how to post code on this website that won't mess with my formatting, as it is, if i write anything wrapped in < and > here without spaces, the entire string disappears from my post! (annoying as hell)

Here is a picture so you can see:

http://imgur.com/a/670j4

There is a parenthesis after the lookahead, right after the last "[a-f0-9]+" string. Isn't there? That's what puzzles me.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Use the tics (ctrl + ~) to put it in code mode to prevent using spaces..

You need to wrap the entire expression in parenthesis.. Also, please read the the suggestion I gave you above if you want to solve this problem.

Also, why not extract the field at search time? This will allow you test test your regular expression without having to restart your indexer service each time

0 Karma

gozulin
Communicator

When you say "wrap the entire expression in parenthesis", do you mean like this?

`((?i) .*? (?P <foo-bar> [a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= ))`

Because that did not work.

I don't know why it's not being extracted at search time, I am not the engineer who wrote this config, i'm just doing the migration and trying to fix any syntactic mistakes in the process. I am not testing my expression by restarting anything, I am testing it in https://regex101.com/ which also complains about it, so I'm assuming that it has the same issue splunk has with it, and if I solve it there, splunk will take it too.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Give me some text and I will write the regex for you to test..

I would also recommend doing it at search time rather than index time so you can test it..

0 Karma

skoelpin
SplunkTrust
SplunkTrust

First, you should never modify a configuration file with a .config that you have no idea of what it does..

This regex will extract a field which will look something like this

f9+a7-b3-c6+d7-e8

What you need to do is extract this at search time so you can see this work in motion.. Go to your Splunk GUI, go to the left side of the screen below "fields" and click extract fields then I'd prefer to write this regular expression myself then paste this in..

(?P<foo-bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= ))

This will name your field foo-bar and will look for the pattern f9+a7-b3-c6+d7-e8 and extract it.. Then hit preview to see what it extracts

0 Karma

gozulin
Communicator

Don't have text to give because I don't know what it does. You can't tell what it's supposed to do either?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

(?P<NAME>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+(?= ))

0 Karma

gozulin
Communicator

Why are you writing <NAME> instead of <foo-bar> ? I'm confused.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...