I am having trouble with field extraction. I have a regex which works in a pcre regex tester but when I attempt to use this regex in splunk I get an "unmatched closing parenthesis" error
SPL:
sourcetype=mysourcetype | rex field=_raw max_match=0 "(?<_KEY_1>(?:[A-Z]\w+\s){0,1}+[A-Z]\w+):[^\S\t\n\r](?<_VAL_1>(?:\d+\/\d+\/\d+\s\d+:\d+:\d+\s\w+|(?:\w:)?[\w\(\).\/\\]*(?:[^\S\t\n\r][\w.\/\\\(\)-]+)*))\s"
Event text:
Mar 15 09:47:27 Agent: Desc: normalized Agent ID: pbw Agent Ver: Category: Source Host: Event Desc: Custom Rule Applied Event Name: 28693 OS: Event Severity: 0 Source IP: Event Subject: Event Type: 0 User: Domain\user Workgroup Desc: Workgroup ID: Workgroup Location: TimeCreated: 3/15/2019 2:47:00 PM AssetId: 38282 AssetName: computername EventMessage: Custom Rule Applied SystemType: WINDOWS Application: RuleName: VS2017 - Publisher Rule (new) EventTypeID: 28693 Hash: FirstOccurence: 3/15/2019 2:47:00 PM LastOccurence: 3/15/2019 2:47:00 PM EventId1: 112618911 HasRule: TRUE Vendor: Arguments: /d /s /c tasklist /fi imagename eq devenv.exe /fi pid eq 16100 /fo table /nh Excluded: FALSE Application1: RuleType: PUBLISHER RuleName1: VS2017 - Publisher Rule (new) Justification: Path: C:\Windows\system32\cmd.exe UserName: domain\user UserType: Administrator
I initially built the regex into a transform for my searchheads. When that didn't work I started trying to test it in SPL to troubleshoot why it works in the online tester but not in Splunk. I'm missing whatever it is that's breaking my regex.
Try putting the statements on either side of the "or" in parenthesis.
sourcetype=mysourcetype | rex field=_raw max_match=0 "(?<_KEY_1>((?:[A-Z]\w+\s){0,1}+[A-Z]\w+):^\S\t\n\r\s)"
This still returns the errors that there is an unmatched closing parenthesis.
I'll open up a ticket with support and update this with the results.