Splunk Search
Highlighted

Regex broken by addition of linebreaker

Builder

Anyone run across anything like this? Adding a linebreak breaking existing regex...

To address some issues around multiline events this linebreaker was added...

LINE_BREAKER= ([\r\n]+)\d+:\d+:\d+,\d+\s  

After the change, this regex stopped working...

Correlation ID for exception is\[.*\]\n(?P<EXCEPTION_NEW>[^\n=@,0-9]+)

Log sample NOT working now...

12:48:15,778 [AWT-EventQueue-0] ERROR com.ui.exceptionhandler.DefaultExceptionHandler  - Correlation ID for exception is[CAPPC28-154f-31dc7a1-0000]
java.lang.IllegalStateException: Cannot cancel an already completed Transaction
    at com..session.DomainTransaction.cancel(DomainTransaction.java:79)

Log sample working pre change

08:06:05,983 [AWT-EventQueue-0] ERROR com.ui.exceptionhandler.DefaultExceptionHandler  - Correlation ID for exception is[CAPPC168-154e-cf4dd61-0002]
java.lang.IllegalStateException: Cannot cancel an already completed Transaction
    at com.session.DomainTransaction.cancel(DomainTransaction.java:79)

Above look the same to me except for unique ID and both samples work in regex101.com, but now broken in Splunk.

Thoughts, suggestions welcome.

Tags (3)
0 Karma
Highlighted

Re: Regex broken by addition of linebreaker

SplunkTrust
SplunkTrust

What was the old line breaker? Is the regex being used at index time or search time?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Regex broken by addition of linebreaker

Builder

Addition of linebreaker seems like it added whitespace around linebreaks. This is what I did...

OLD REX: Correlation ID for exception is\[.*\]\n(?P[^\n,=,@,0-9]+)  
NEW REX: Correlation ID for exception is\[.*?\][\r\n\s]+(?P.*?[^0-9\n\r\t=@]+) 

View solution in original post

0 Karma