Splunk Search

Regex field extraction

saulverde
Path Finder

I am having trouble with field extraction. I have a regex which works in a pcre regex tester but when I attempt to use this regex in splunk I get an "unmatched closing parenthesis" error

SPL:

sourcetype=mysourcetype | rex field=_raw max_match=0  "(?<_KEY_1>(?:[A-Z]\w+\s){0,1}+[A-Z]\w+):[^\S\t\n\r](?<_VAL_1>(?:\d+\/\d+\/\d+\s\d+:\d+:\d+\s\w+|(?:\w:)?[\w\(\).\/\\]*(?:[^\S\t\n\r][\w.\/\\\(\)-]+)*))\s"

Event text:

Mar 15 09:47:27  Agent: Desc: normalized    Agent ID: pbw   Agent Ver:  Category:   Source Host:    Event Desc: Custom Rule Applied Event Name: 28693   OS:     Event Severity: 0   Source IP:  Event Subject:  Event Type: 0   User: Domain\user   Workgroup Desc:     Workgroup ID:   Workgroup Location:     TimeCreated: 3/15/2019 2:47:00 PM   AssetId: 38282  AssetName: computername EventMessage: Custom Rule Applied   SystemType: WINDOWS Application:    RuleName: VS2017 - Publisher Rule (new) EventTypeID: 28693  Hash:   FirstOccurence: 3/15/2019 2:47:00 PM    LastOccurence: 3/15/2019 2:47:00 PM EventId1: 112618911 HasRule: TRUE   Vendor:     Arguments: /d /s /c tasklist /fi imagename eq devenv.exe /fi pid eq 16100 /fo table /nh Excluded: FALSE Application1:   RuleType: PUBLISHER RuleName1: VS2017 - Publisher Rule (new)    Justification:  Path: C:\Windows\system32\cmd.exe   UserName: domain\user   UserType: Administrator 

I initially built the regex into a transform for my searchheads. When that didn't work I started trying to test it in SPL to troubleshoot why it works in the online tester but not in Splunk. I'm missing whatever it is that's breaking my regex.

0 Karma

mydog8it
Builder

Try putting the statements on either side of the "or" in parenthesis.
sourcetype=mysourcetype | rex field=_raw max_match=0 "(?<_KEY_1>((?:[A-Z]\w+\s){0,1}+[A-Z]\w+):^\S\t\n\r\s)"

0 Karma

saulverde
Path Finder

This still returns the errors that there is an unmatched closing parenthesis.

I'll open up a ticket with support and update this with the results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...