Solved: Re: Regex help

vlape_SCWX · ‎03-31-2020

I am at a loss as to why the following is not working.
log:
2020-03-31 20:31:19,621 fail2ban.actions [709]: NOTICE [sshd] Unban 156.38.x.x
Query
index=main fail2ban.actions | regex _raw="[(?sshd)]" | fields jail
I have double checked the regular expression with regex101 and "sshd" is captured in group jail.
Am i missing something?
Splunk Enterprise 8.0.2.1

to4kawa · ‎04-01-2020

 index=main fail2ban.actions sshd
| rex "\[(?<jail>[a-z]+)\]"
| fields jail

regex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex
rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

what do you want to do?
[is meta character.
your | regex _raw="[(?<jail>sshd)]" searches the word sshd

see following:

  \       general escape character with several uses
  ^      assert start of string (or line, in multiline mode)
  $      assert end of string (or line, in multiline mode)
  .      match any character except newline (by default)
  [      start character class definition
  |      start of alternative branch
  (      start subpattern
  )      end subpattern
  ?      extends the meaning of (
         also 0 or 1 quantifier
         also quantifier minimizer
  *      0 or more quantifier
  +      1 or more quantifier
         also "possessive quantifier"
  {      start min/max quantifier

https://www.pcre.org/original/doc/html/pcrepattern.html

View solution in original post

to4kawa · ‎04-01-2020

 index=main fail2ban.actions sshd
| rex "\[(?<jail>[a-z]+)\]"
| fields jail

regex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex
rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex

what do you want to do?
[is meta character.
your | regex _raw="[(?<jail>sshd)]" searches the word sshd

see following:

  \       general escape character with several uses
  ^      assert start of string (or line, in multiline mode)
  $      assert end of string (or line, in multiline mode)
  .      match any character except newline (by default)
  [      start character class definition
  |      start of alternative branch
  (      start subpattern
  )      end subpattern
  ?      extends the meaning of (
         also 0 or 1 quantifier
         also quantifier minimizer
  *      0 or more quantifier
  +      1 or more quantifier
         also "possessive quantifier"
  {      start min/max quantifier

https://www.pcre.org/original/doc/html/pcrepattern.html

vlape_SCWX · ‎04-01-2020

That worked! thanks you. Why is it when I search for the exact match it returns nothing?

to4kawa · ‎04-01-2020

regex is search, not field extract command.
so, field jail is missing.

niketn · ‎04-01-2020

@vlape_SCWX can you try something like the following:

index=main fail2ban.actions 
| rex "\[(?<jail>sshd)\]" 
| table jail _raw

Not sure what you want to pull with hard-coded sshd

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vlape_SCWX · ‎03-31-2020

For some reason the \ before [ was stripped when posting the question.

vnravikumar · ‎03-31-2020

Hi

Use Code Sample or press Ctrl +k while posting your query

Regex help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation