Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come scheduled search is failing with error on regex but is successful with an ad hoc search?

marycordova
SplunkTrust
SplunkTrust
‎10-23-2018 02:16 PM

Problem Statement: successful ad hoc search, when saved and scheduled to run periodically, fails with error at position in regex

Error:

status=skipped, Error in 'SearchParser': Missing a search command before '^'. Error at position '8052' of search query 'search index=win* (EventCode=624 OR EventCode=4720...{snipped} {errorcontext = rc_host>^[^\\\]+)"\n| }'

Search: 

index=win* (EventCode=624 OR EventCode=4720)
| eval src=mvindex('Security_ID',0)
| rex field=src "(?<src_host>^[^\\\]+)"
| rex field=src "(?<src_user>[^\\\]+)\$*$"
| eval src_host=upper(if(match('src_user',"\$$"),rtrim('src_user',"$"),(if('src_host'=="<domain>",null(),'src_host'))))
| eval src_user=lower(if(match('src_user',"\$$"),rtrim('src_user',"$"),'src_user'))
| eval dest_user=lower('SAM_Account_Name')
| table src_host src_user dest_user
@marycordova
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marycordova
SplunkTrust
SplunkTrust
‎10-23-2018 02:26 PM

Workaround (JIRA SPL-161618):

  1. replaced instances of \$ followed by any number of characters and then another $ with the hex encoded version of \$ ( \x24 )
  2. the issue has to do with some component of Splunk ( @martin_mueller would know precisely which component ) interpreting $somestuffhere$ as a token

Working Scheduled Search:

index=win* (EventCode=624 OR EventCode=4720)
| eval src=mvindex('Security_ID',0)
| rex field=src "(?<src_host>^[^\\\]+)"
| rex field=src "(?<src_user>[^\\\]+)\x24*$"
| eval src_host=upper(if(match('src_user',"\x24$"),rtrim('src_user',"$"),(if('src_host'=="<domain>",null(),'src_host'))))
| eval src_user=lower(if(match('src_user',"\x24$"),rtrim('src_user',"$"),'src_user'))
| eval dest_user=lower('SAM_Account_Name')
| table src_host src_user dest_user
@marycordova

View solution in original post

Reply
Solved! Jump to solution
Solution

marycordova
SplunkTrust
SplunkTrust
‎10-23-2018 02:26 PM

Workaround (JIRA SPL-161618):

  1. replaced instances of \$ followed by any number of characters and then another $ with the hex encoded version of \$ ( \x24 )
  2. the issue has to do with some component of Splunk ( @martin_mueller would know precisely which component ) interpreting $somestuffhere$ as a token

Working Scheduled Search:

index=win* (EventCode=624 OR EventCode=4720)
| eval src=mvindex('Security_ID',0)
| rex field=src "(?<src_host>^[^\\\]+)"
| rex field=src "(?<src_user>[^\\\]+)\x24*$"
| eval src_host=upper(if(match('src_user',"\x24$"),rtrim('src_user',"$"),(if('src_host'=="<domain>",null(),'src_host'))))
| eval src_user=lower(if(match('src_user',"\x24$"),rtrim('src_user',"$"),'src_user'))
| eval dest_user=lower('SAM_Account_Name')
| table src_host src_user dest_user
@marycordova
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...