Solved: Re: How to develop Regex to find invalid pattern i...

wangkevin1029 · ‎01-14-2022

Hi， Splunkers，

I have some skill expression as below:

Orange > 5 & apple < 0 & ( Peach = 0 | Tomato >) & (Strawberry =7)

this skill expression covers all possible combinations.

How to develop a Regex to find any invalid string in this expression? Btw, extra space between different strings, or symbol is ok here.

for example, like here, after apple, there is double 0 with space, there is space between tomato, and there is a missing right bracket for Strawberry =7, etc.

Orange > 5 & apple < 0 0 & ( Peach = 0 | To mato >) & (Strawberry =7

thanks in advance.

Kevin

ITWhisperer · ‎01-15-2022

Assuming a valid part of the expression is a word followed by comparison operator followed by a number interspersed by zero or more spaces

(?<var>\w+)\s*(?<comparator>[<>=]+)\s*(?<num>\d+)

you could remove all valid expressions and ensure you don't have any words or numbers left

| makeresults
| eval expression=split("Orange > 5 & apple < 0  & ( Peach = 0 | Tomato >) &  (Strawberry =7)!Orange > 5 & apple < 0 0  & ( Peach = 0 | To mato >) &  (Strawberry =7!Orange > 5 & apple < 0  & ( Peach = 0 | Tomato >0) &  (Strawberry =7)!Orange > 5 & apple < 00  & ( Peach = 0 | Tomato >2) &  (Strawberry =7)","!")
| mvexpand expression
| fields - _time
``` the lines above set up some dummy data (two bad and two corrected) ```
| eval test=expression
| rex mode=sed field=test "s/(?<var>\w+)\s*(?<comparator>[<>=]+)\s*(?<num>\d+)//g"
| eval valid=if(match(test,"[\d\w]"),"false","true")

View solution in original post

ITWhisperer · ‎01-15-2022

Assuming a valid part of the expression is a word followed by comparison operator followed by a number interspersed by zero or more spaces

(?<var>\w+)\s*(?<comparator>[<>=]+)\s*(?<num>\d+)

you could remove all valid expressions and ensure you don't have any words or numbers left

| makeresults
| eval expression=split("Orange > 5 & apple < 0  & ( Peach = 0 | Tomato >) &  (Strawberry =7)!Orange > 5 & apple < 0 0  & ( Peach = 0 | To mato >) &  (Strawberry =7!Orange > 5 & apple < 0  & ( Peach = 0 | Tomato >0) &  (Strawberry =7)!Orange > 5 & apple < 00  & ( Peach = 0 | Tomato >2) &  (Strawberry =7)","!")
| mvexpand expression
| fields - _time
``` the lines above set up some dummy data (two bad and two corrected) ```
| eval test=expression
| rex mode=sed field=test "s/(?<var>\w+)\s*(?<comparator>[<>=]+)\s*(?<num>\d+)//g"
| eval valid=if(match(test,"[\d\w]"),"false","true")

wangkevin1029 · ‎01-15-2022

ITWhisperer,

thanks for your clarification.

Beside, I tried to filter this valid or invalid result with input droplist with 3 choice values,
name/value: ALL/*, TRUE/TRUE, FALSE/FALSE,

but when I used the following search to verify where ValidatorResult = ， then i noticed, for TRUE, or FLASE, I have to use | where ValidatorResult = "TRUE", ValidatorResult = "FALSE", it works, but quote must be used, , but for *, either no quote or with quote, it doesn't work.

more important, the value sent by Token, is just TRUE, FALSE, or *, all no quote.

so, how to have this droplist ALL(*), TRUE, FALSE work with the validator result as a filter?

| rex mode=sed field=TargeValidator "s/(?<var>\w+)\s*(?<comparator>[<>=]+)\s*(?<num>0|[1-9]\d*)//g"

| eval ValidatorResult = if(match(TargeValidator,"[\d\w]"),"FALSE","TRUE")

| where ValidatorResult = "*"

thx in advance.

Kevin

ITWhisperer · ‎01-16-2022

I am not sure I understand what you are trying to do here but if you have a dropdown would this work:

| where ValidatorResult=$dropdowntoken$

wangkevin1029 · ‎01-16-2022

Hi, ITWhisperer,

| where ValidatorResult=$dropdowntoken$ is shown as | where ValidatorResult= TRUE in search (when I open a search from dashboard)， when I select TRUE from droplist.

but there is no any event return.

if in search I changed | where ValidatorResult= TRUE to | where ValidatorResult= "TRUE", then there is return.

or let me put it this way, the value sent from token are TRUE, or FALSE，or *，

but in real search，only when I quote TRUE， FALSE， there are event return.

for all/*, both * and "*", all no event return.

Kevin

ITWhisperer · ‎01-16-2022

Try with |s to wrap the token value in quotes

| where ValidatorResult=$dropdowntoken|s$

wangkevin1029 · ‎01-16-2022

ITWhisperer,

it's perfect for TRUE or FALSE, but when I select ALL/* (value) from droplist, there is still no return.

like I said before I did try both | where ValidatorResult=* , and where ValidatorResult="*", there is all no return.

what I expected for selecting ALL/*, it should return all events for both TRUE and FALSE.

Kevin

ITWhisperer · ‎01-16-2022

The validator either gives true or false - this is a binary option, there is no third option. This solves your original question. What are you expecting an ALL option to do?

wangkevin1029 · ‎01-16-2022

Right, the result is either TRUE or FALSE, but what I want to display in dashboard is not only either TRUE or FALSE, also could be both.

Kevin

ITWhisperer · ‎01-16-2022

| where match(ValidatorResult,$dropdowntoken|s$)

Set the value for ALL to . (dot)

wangkevin1029 · ‎01-16-2022

thank you very much , it works.

Kevin

wangkevin1029 · ‎01-15-2022

I have to admit I am a little confused about how to use boolean and string type here for TRUE or FALSE correctly.

Kevin

wangkevin1029 · ‎01-15-2022

thank you very much, ITWhisperer... your Whisper ALWAYS the best.

Btw, the 00 should also be detected as false, so, I made a little change for skill level expression.

Orange > 5 & apple < 00 & ( Peach = 0 | Tomato >2) & (Strawberry =7)

| rex mode=sed field=test "s/(?<var>\w+)\s*(?<comparator>[<>=]+)\s*(?<num>0|[1-9]\d*)//g"

thanks again.

Kevin

How to develop Regex to find invalid pattern in a skill level expression string.

regex

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...