Bad regex value: '(?i) .*? (?P<foo-bar>\[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+\-[a-f0-9]+)(?= )', of param: props.conf / [wsp-prod] / EXTRACT-foo-bar; why: unrecognized character after (?P
Bad regex value: '(?i) .*? (?P[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )', of param: props.conf / [wsp-prod] / EXTRACT-foo-bar; why: unrecognized character after (?P
the regex is:
EXTRACT-foo-bar = (?i) .*? (?P<foo-bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )
Thanks!
I use http://www.RegEx101.com
to validate. It shows many errors. I made some guesses (You did not give us any event text to use to validate the RegEx so we can only guess). Try this:
(?i) .*? (?<foo_bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )
The problem is the hyphen in the name. Splunk, does not allow this (the same as all PCRE engines). You can do it with an underscore and then at search time
you can rename it like this:
| rename foo_bar AS foo-bar
You might also be able to create a Field Alias
but it is unclear whether the hyphen will be tolerated there (worth a try):
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Addaliasestofields
I use http://www.RegEx101.com
to validate. It shows many errors. I made some guesses (You did not give us any event text to use to validate the RegEx so we can only guess). Try this:
(?i) .*? (?<foo_bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )
The problem is the hyphen in the name. Splunk, does not allow this (the same as all PCRE engines). You can do it with an underscore and then at search time
you can rename it like this:
| rename foo_bar AS foo-bar
You might also be able to create a Field Alias
but it is unclear whether the hyphen will be tolerated there (worth a try):
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Addaliasestofields
You need to include <NAME>
after the ?P
It should look like this
EXTRACT-StatusCode=<a:StatusCode>(?<StatusCode>\d*)</a:StatusCode>
If you leave a blank like after your introduction text here vvvvvv
<--- And then leave 4 lines before your text here
Then you will have a code segment created that will not be modified in any way.
The actual regex is altered when I copy paste it...There is a [foo-bar] after the P. (replace the square brackets with "Less Than" and "Greater Than" symbols . It's just not showing up because of the way this website parses comments...
Update: figured out how to insert code...
EXTRACT-foo-bar = (?i) .*? (?P<foo-bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )
Try this
EXTRACT-foo-bar = (?i) .*? (?P<NAME>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )
That's exactly how I have it, only instead of the string NAME, it's the string foo-bar .
How are you able to type greater than and less than symbols with a word in between. When I do it, they and the word inside them disappear when I post my comment.
Lemme try this again: Remove the spaces before and after the foo-bar string to get my actual text:
EXTRACT-foo-bar = (?i) .*? (?P< foo-bar >[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )
Use the tics (ctrl + ~)
If the above extraction doesn't work then you can try extracting the field at search time..
It also looks like you have an uneven amount of parenthesis
The last parenthesis was a type, this is the full query. There are 4 parentheses total:
Remove the spaces before and after the foo-bar string to get my actual text:
EXTRACT-foo-bar = (?i) .*? (?P < foo-bar > [a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= )
You need to wrap your expression with parenthesis.. The lookahead needs to have a parenthesis after it.. I'd also recommend ditching the spaces
Also, why not extract the field at search time? This will allow you test test your regular expression without having to restart your indexer service each time
There are no spaces in the actual query. I just don't know enough about how to post code on this website that won't mess with my formatting, as it is, if i write anything wrapped in < and > here without spaces, the entire string disappears from my post! (annoying as hell)
Here is a picture so you can see:
There is a parenthesis after the lookahead, right after the last "[a-f0-9]+" string. Isn't there? That's what puzzles me.
Use the tics (ctrl + ~) to put it in code mode to prevent using spaces..
You need to wrap the entire expression in parenthesis.. Also, please read the the suggestion I gave you above if you want to solve this problem.
Also, why not extract the field at search time? This will allow you test test your regular expression without having to restart your indexer service each time
When you say "wrap the entire expression in parenthesis", do you mean like this?
`((?i) .*? (?P <foo-bar> [a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= ))`
Because that did not work.
I don't know why it's not being extracted at search time, I am not the engineer who wrote this config, i'm just doing the migration and trying to fix any syntactic mistakes in the process. I am not testing my expression by restarting anything, I am testing it in https://regex101.com/ which also complains about it, so I'm assuming that it has the same issue splunk has with it, and if I solve it there, splunk will take it too.
Give me some text and I will write the regex for you to test..
I would also recommend doing it at search time rather than index time so you can test it..
First, you should never modify a configuration file with a .config that you have no idea of what it does..
This regex will extract a field which will look something like this
f9+a7-b3-c6+d7-e8
What you need to do is extract this at search time so you can see this work in motion.. Go to your Splunk GUI, go to the left side of the screen below "fields" and click extract fields
then I'd prefer to write this regular expression myself
then paste this in..
(?P<foo-bar>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+)(?= ))
This will name your field foo-bar
and will look for the pattern f9+a7-b3-c6+d7-e8
and extract it.. Then hit preview to see what it extracts
Don't have text to give because I don't know what it does. You can't tell what it's supposed to do either?
(?P<NAME>[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+(?= ))
Why are you writing <NAME>
instead of <foo-bar>
? I'm confused.