Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am at a loss as to why the following is not working.
log:
2020-03-31 20:31:19,621 fail2ban.actions [709]: NOTICE [sshd] Unban 156.38.x.x
Query
index=main fail2ban.actions | regex _raw="[(?
I have double checked the regular expression with regex101 and "sshd" is captured in group jail.
Am i missing something?
Splunk Enterprise 8.0.2.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main fail2ban.actions sshd
| rex "\[(?<jail>[a-z]+)\]"
| fields jail
regex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex
rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
what do you want to do?
[is meta character.
your | regex _raw="[(?<jail>sshd)]" searches the word sshd
see following:
\ general escape character with several uses
^ assert start of string (or line, in multiline mode)
$ assert end of string (or line, in multiline mode)
. match any character except newline (by default)
[ start character class definition
| start of alternative branch
( start subpattern
) end subpattern
? extends the meaning of (
also 0 or 1 quantifier
also quantifier minimizer
* 0 or more quantifier
+ 1 or more quantifier
also "possessive quantifier"
{ start min/max quantifier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main fail2ban.actions sshd
| rex "\[(?<jail>[a-z]+)\]"
| fields jail
regex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex
rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
what do you want to do?
[is meta character.
your | regex _raw="[(?<jail>sshd)]" searches the word sshd
see following:
\ general escape character with several uses
^ assert start of string (or line, in multiline mode)
$ assert end of string (or line, in multiline mode)
. match any character except newline (by default)
[ start character class definition
| start of alternative branch
( start subpattern
) end subpattern
? extends the meaning of (
also 0 or 1 quantifier
also quantifier minimizer
* 0 or more quantifier
+ 1 or more quantifier
also "possessive quantifier"
{ start min/max quantifier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked! thanks you. Why is it when I search for the exact match it returns nothing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex is search, not field extract command.
so, field jail is missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vlape_SCWX can you try something like the following:
index=main fail2ban.actions
| rex "\[(?<jail>sshd)\]"
| table jail _raw
Not sure what you want to pull with hard-coded sshd
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some reason the \ before [ was stripped when posting the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Use Code Sample or press Ctrl +k while posting your query
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
Unlock Database Monitoring with Splunk Observability Cloud
