Splunk Search

Why is my rex command after upgrade to 6.3 not working

PPape
Contributor

Hello

I'm using this Regex command:

rex max_match=25 "\s+(?P<UserName>[^ ]+\s*\w*)\s+(?P<Status>[Allow|Deny]+)\s+(?P<Rigths>[\w+|-\d+][,\s+\w+]*)\n"

with Version 6.2.x it works fine but after upgrade to 6.3 I get this error:

Error in 'rex' command: Encountered the following error while compiling the regex '\s+(?P<UserName>[^ ]+\s*\w*)\s+(?P<Status>[Allow|Deny]+)\s+(?P<Rigths>[\w+|-\d+][,\s+\w+]*)\n': Regex: invalid range in character class

Here a pastebin of sample data -paste-

Am I the only one who is facing this?
I hope you can help me.

Best regards!

0 Karma
1 Solution

knielsen
Contributor

Hi,

pasting you rex expression into regex101 points out that [\w+|-\d+] is the problem. "-" is parsed as a range quantifier, which doesn't make sense in that expression. If that "-" should match an actual "-", then escape it with backslash.

Hth,
Kai.

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

I'm not sure of the exact cause, but I can guess. 6.3 might have introduced stronger regex validation. That being the case, the " " (blank space) might be the cause.

Try this:

rex max_match=25 "\s+(?P<UserName>[^\s]+\s*\w*)\s+(?P<Status>Allow|Deny)+\s+(?P<Rights>[\w+|-\d+][,\s+\w+]*)\n"
0 Karma

knielsen
Contributor

Hi,

pasting you rex expression into regex101 points out that [\w+|-\d+] is the problem. "-" is parsed as a range quantifier, which doesn't make sense in that expression. If that "-" should match an actual "-", then escape it with backslash.

Hth,
Kai.

PPape
Contributor

Sorry for late response, this was the right Answer!
Thank you very mutch Kai!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...