Regex not working on splunk for the expression whi...

Shariq · ‎10-28-2021

i have data as below :

Request-all-Headers = Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https

and working rex below from regex 101 :

IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})

now when I tried the same with splunk. splunk is not able to extract the fields . my splunk query is below :

index=test sourcetype="test"
| rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})"

Shariq · ‎10-28-2021

i even tried changing the variable name but no luck

jbanAtSplunk · ‎10-28-2021

Have you tried on _raw filed?
like
rex field=_raw "your_regex"

Shariq · ‎10-28-2021

i did not try _raw earlier but when I did just now,it worked. but still, I am not clear why request-all-header is not working since I can see that this field is getting extracted properly without any rex.

Shariq · ‎10-28-2021

No , it is still not working in Splunk with real event. i can see the events but the query is not doing anything the make result is something I tried in all ways and it works with make result but not with the query with original event.

| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})"
| rex field=Request-all-Headers "IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno

jbanAtSplunk · ‎10-28-2021

Hi, can you try your original search?

| makeresults | eval Request-all-Headers="Accept - */* Authorization - Bearer m6CsheaxrlMKIBH3vZ0EXk5G3rw6 Content-Type - application/json Host - api.ingrammicro.com IM-CorrelationID - 213.45245849 IM-CountryCode - TN IM-CustomerNumber - 44-999999 IM-SenderID - Global Reward Solutions simulateStatus - IM::SHIPPED X-Forwarded-For - 10.0.0.0X-Forwarded-Port - 123 X-Forwarded-Proto - https" | rex field=Request-all-Headers "IM-CountryCode\s+-\s+(?P<country>[A-Z]{2})\s+IM-CustomerNumber\s+-\s+(?P<custno>[0-9]+-[0-9]{6})" | table Request-all-Headers country custno

ITWhisperer · ‎10-29-2021

Try putting the field name in single quotes in the rex command

Shariq · ‎10-29-2021

single quote did not worked

Regex not working on splunk for the expression which works well on regex 101

regex

rex

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Regex not working on splunk for the expression which works well on regex 101

regex

rex

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases