Solved: Re: Regex working in Regex101 and not Splunk

danielkhouri · ‎09-15-2019

Hello,

I've put together two Regex expressions to capture specific words from a syslog entry. First Regex is to capture the neighbor IP address (1.2.3.4) and the second Regex is to capture the vrf name (Test123). The intent is to use the values in a table.

<141>2019-09-13T16:33:48+00:00 HostABC %BGP-5-ADJCHANGE: neighbor 1.2.3.4 vpn vrf Test-123 Up

These are the Regex expressions I'm using that work in Regex101 and not in Splunk:

(?<=neighbor\s)(\S+)
(?<=vrf\s)(\S+)

Thanks.

MuS · ‎09-15-2019

Hi danielkhouri,

You did not mention how you are using the regex in Splunk, but I suspect the opening < tag to be the problem.
You could try a simplified version of the regex and see if this works for you:

neighbor\s(?<my_ip>(\S+)) 
vrf\s(?<my_name>(\S+))

Using this in inline SPL using the rex command it will create the fields my_ip and my_name with the values 1.2.3.4 and Test-123 based on the provided sample.

Hope this helps ...

cheers, MuS

View solution in original post

gcusello · ‎09-15-2019

Hi danielkhouri,
try this

(?<my_ip>\d+\.\d+\.\d+\.\d+).*vrf\s(?<my_vrf>[^ ]*\s+\w+$

Bye.
Giuseppe

MuS · ‎09-15-2019

Hi danielkhouri,

You did not mention how you are using the regex in Splunk, but I suspect the opening < tag to be the problem.
You could try a simplified version of the regex and see if this works for you:

neighbor\s(?<my_ip>(\S+)) 
vrf\s(?<my_name>(\S+))

Using this in inline SPL using the rex command it will create the fields my_ip and my_name with the values 1.2.3.4 and Test-123 based on the provided sample.

Hope this helps ...

cheers, MuS

danielkhouri · ‎09-15-2019

Hi MuS,

That worked - thanks for the information!

Another issue I have - I'm looking to create a Regex that capture 2019 Aug 21 01:00:25.971 AEST: and 2019 Aug 21 01:00:25.971 AEST: from the below:

2019 Aug 21 01:00:25.971 AEST: HostABC %BGP-5-ADJCHANGE: neighbor 1.2.3.4 vpn vrf Test-123 Up
2019 Aug 3 01:00:25.971 AEST: HostABC %BGP-5-ADJCHANGE: neighbor 1.2.3.4 vpn vrf Test-123 Up

I've configured the following expression (which works in Regex101) however I'm not getting any values in Splunk when I use it in a table

(?\d{4}\s\D{3}\s\d{2}\s\d{2}[:]\d{2}[:]\d{2}[.]\d{1,3}|\d{4}\s\D{3}\s\s\d{1}\s\d{2}[:]\d{2}[:]\d{2}[.]\d{1,3})

The thing to look out for is the extra space before the "3". Is there a better way of doing this?

MuS · ‎09-16-2019

Hi danielkhouri,

you did not mention how you will use the regex in Splunk - again. But since my first provided example worked for you I assume it is a inline SPL rex command. If so you will need to create a named capturing group https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Usage to tell Splunk to use the captured values in a field name.

Based on the provided examples try this:

(?<my_time>\d{4}[\d\s\w\.:]+AEST:)\s

Hope this helps ...

cheers, MuS

danielkhouri · ‎09-16-2019

Thanks again - that worked!

Regex working in Regex101 and not Splunk

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor