Splunk Search

Why does a comma in Regex break the serverclass in the Splunk GUI?

JeremyHagan
Communicator

When editing server classes in the Splunk GUI, it cannot handle a comma in a regex. EG:

\w{3}\d{1,3}\w

Ends up being broken up into two different whitelists in the serverclass.conf file.

Is this a bug?

Tags (3)
1 Solution

JeremyHagan
Communicator

The documentation says:

These patterns are PCRE regular
expressions

Apart from the caveat it then follows this statement with, where does it say anything about other limitation?

The specific syntax work perfectly in the conf file. The question I asked was about the behaviour of Splunk GUI config page wrongly interpreting the commas inside the regex as a delimiter. So you haven't really answered the question.

View solution in original post

JeremyHagan
Communicator

The documentation says:

These patterns are PCRE regular
expressions

Apart from the caveat it then follows this statement with, where does it say anything about other limitation?

The specific syntax work perfectly in the conf file. The question I asked was about the behaviour of Splunk GUI config page wrongly interpreting the commas inside the regex as a delimiter. So you haven't really answered the question.

lasnow
Explorer

I had a case open with Splunk support on this, and was told it was a potential defect in the UI. I worked around it; you could use \w{3}\d\d?\d?\w instead of \w{3}\d{1,3}\w
Clunky, but it works...

JeremyHagan
Communicator

Yeah I did the same as I realised I should have been using ? instead of {0,1}.

It would be great if you posted any fix they provide to you. Thanks for the reply

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Refer to the spec file for serverclass.conf, you cannot use full PCRE regex expressions in the whitelist / blacklists..
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

whitelist. =  |  | 
blacklist. =  |  | 
    * 'n' is a number starting at 0, and increasing by 1. Splunk stops evaluating a filter at the first break in sequence of 'n' values.
    * The value of this attribute is matched against several things in order:
         * Any clientName specified by the client in its deploymentclient.conf file
         * The IP address of the connected client
         * The hostname of the connected client, as provided by reverse DNS lookup
         * The hostname of the client, as provided by the client
    * All of these can be used with wildcards.  * will match any sequence of characters.  For example:
        * Match a network range: 10.1.1.*
        * Match a domain: *.splunk.com
    * Can be overridden at the serverClass level, and the serverClass:app level.
    * There are no whitelist or blacklist entries by default.
    * These patterns are PCRE regular expressions, with the following aids for easier entry:
        * You can specify simply '.' to mean '\.'
        * You can specify simply '*' to mean '.*'
    * Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.

# Note: Overriding one type of filter (whitelist/blacklist) causes the other to
# be overridden (and hence not inherited from parent) too.

# Example with filterType=whitelist:
#     whitelist.0=*.splunk.com
#     blacklist.0=printer.splunk.com
#     blacklist.1=scanner.splunk.com
# This will cause all hosts in splunk.com, except 'printer' and 'scanner', to match this server class.

# Example with filterType=blacklist:
#     blacklist.0=*
#     whitelist.0=*.web.splunk.com
#     whitelist.1=*.linux.splunk.com
# This will cause only the 'web' and 'linux' hosts to match the server class. No other hosts will match.
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...