Splunk Search

How come scheduled search is failing with error on regex but is successful with an ad hoc search?

marycordova
SplunkTrust
SplunkTrust

Problem Statement: successful ad hoc search, when saved and scheduled to run periodically, fails with error at position in regex

Error:

status=skipped, Error in 'SearchParser': Missing a search command before '^'. Error at position '8052' of search query 'search index=win* (EventCode=624 OR EventCode=4720...{snipped} {errorcontext = rc_host>^[^\\\]+)"\n| }'

Search:

index=win* (EventCode=624 OR EventCode=4720)
| eval src=mvindex('Security_ID',0)
| rex field=src "(?<src_host>^[^\\\]+)"
| rex field=src "(?<src_user>[^\\\]+)\$*$"
| eval src_host=upper(if(match('src_user',"\$$"),rtrim('src_user',"$"),(if('src_host'=="<domain>",null(),'src_host'))))
| eval src_user=lower(if(match('src_user',"\$$"),rtrim('src_user',"$"),'src_user'))
| eval dest_user=lower('SAM_Account_Name')
| table src_host src_user dest_user
0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

Workaround (JIRA SPL-161618):

  1. replaced instances of \$ followed by any number of characters and then another $ with the hex encoded version of \$ ( \x24 )
  2. the issue has to do with some component of Splunk ( @martin_mueller would know precisely which component ) interpreting $somestuffhere$ as a token

Working Scheduled Search:

index=win* (EventCode=624 OR EventCode=4720)
| eval src=mvindex('Security_ID',0)
| rex field=src "(?<src_host>^[^\\\]+)"
| rex field=src "(?<src_user>[^\\\]+)\x24*$"
| eval src_host=upper(if(match('src_user',"\x24$"),rtrim('src_user',"$"),(if('src_host'=="<domain>",null(),'src_host'))))
| eval src_user=lower(if(match('src_user',"\x24$"),rtrim('src_user',"$"),'src_user'))
| eval dest_user=lower('SAM_Account_Name')
| table src_host src_user dest_user

View solution in original post

marycordova
SplunkTrust
SplunkTrust

Workaround (JIRA SPL-161618):

  1. replaced instances of \$ followed by any number of characters and then another $ with the hex encoded version of \$ ( \x24 )
  2. the issue has to do with some component of Splunk ( @martin_mueller would know precisely which component ) interpreting $somestuffhere$ as a token

Working Scheduled Search:

index=win* (EventCode=624 OR EventCode=4720)
| eval src=mvindex('Security_ID',0)
| rex field=src "(?<src_host>^[^\\\]+)"
| rex field=src "(?<src_user>[^\\\]+)\x24*$"
| eval src_host=upper(if(match('src_user',"\x24$"),rtrim('src_user',"$"),(if('src_host'=="<domain>",null(),'src_host'))))
| eval src_user=lower(if(match('src_user',"\x24$"),rtrim('src_user',"$"),'src_user'))
| eval dest_user=lower('SAM_Account_Name')
| table src_host src_user dest_user

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!