Splunk Search
Highlighted

REX not being consistent in defining "fields"

Communicator

I have a set of router and switch syslog events that I am trying to define 'error' Fields for but I don't see the REX statement being consistent. When I run the following search against the listed two syslog events

Search

sourcetype=syslog_info earliest=-1m | rex "(?<error>\%.*-\b([0-4])\-.*):\s"

Syslog data

<DATE Field> %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host
<DATE Field>  "%ACLLOG-4-ACLLOG_THRESHOLD: Source IP: 10.215.24.52, Destination IP: 167.68.250.45, Source Port: 137, Destination Port: 137, Source Interface: port-channel105, protocol"


I get the following results. Any thoughts to why one works and one doesn't? I am stumped.

1) error="%SNMP-3-AUTHFAIL"
2) error="%ACLLOG-4-ACLLOG_THRESHOLD: Source IP: 10.215.24.52, Destination IP: 167.68.250.45, Source Port: 137, Destination Port: 137, Source Interface: port-channel105, protocol"

Master Oogway

Tags (2)
0 Karma
Highlighted

Re: REX not being consistent in defining "fields"

Motivator

The difference between your two sample events is that the second one has multiple : characters. The .* performs "greedy" matching, meaning it tries to include as much text as possible in the match.

Adding a question mark -- .*? -- will make it non-greedy:

| rex "(?<error>\%.*-\b([0-4])\-.*?):\s"

Or if you want a more permanent/complete solution, this covers most cases:

props.conf:

[cisco-eventcodes]
REGEX = (%(([\w\-]+)-(\d+)-([\w\_]+)):\s+(.*)$)
FORMAT = message_full::$1 event::$2 facility::$3 severity::$4 mnemonic::$5 message::$6

transforms.conf:

[syslog_info]
REPORT-ciscoevt = cisco-eventcodes

View solution in original post

Highlighted

Re: REX not being consistent in defining "fields"

Communicator

A...ding, ding, ding! This did it. Thank you!
I will try the more permanent solution and see what I get.

0 Karma