Splunk Search

Splunk Regex - Works in regex101 but not Splunk

JacobCarrell
Explorer

I've got a regex that's working in Regex101's editor, but when I paste it into Splunk I get garbage or no results:
Regex:

^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)

Sample entries:
Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349
Oct 24 18:28:54 openvpn[21337]: 66.103.224.123:50873 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:50873

URL:
https://regex101.com/r/by1mOW/7

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi
why you say that doesn't run on Splunk?
I tried this

index=_internal  
|head 1 
| eval ppp="Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349" 
| rex field=ppp "^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)" 
| table username IP

And I have

username    IP
username    66.103.224.123

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi
why you say that doesn't run on Splunk?
I tried this

index=_internal  
|head 1 
| eval ppp="Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349" 
| rex field=ppp "^(?:[^ \n]* ){5}\[(?P<username>\w+)(?:\].*\])(?P<IP>[^:]+)" 
| table username IP

And I have

username    IP
username    66.103.224.123

Bye.
Giuseppe

JacobCarrell
Explorer

Thanks, I didn't know you could do this. It turns out I'm using an app that provides predefined sourcetypes. I ran out of oomph last night after rewriting the regex to grab the IP from the first IP and STILL getting the same results, so somewhere in one of my props.conf or transforms.conf is a bad regex. I'll have to track it down tonight.

For the record, this is syslogs from PFSense.

JacobCarrell
Explorer

Forgot to add, Here's what Splunk captures for the IP:
Initiated with [AF_INET]66.103.224.123

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...