Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why regex created with the Field Extractor utility is not working when used in a search?

jwalzerpitt
Influencer
‎01-13-2015 12:59 PM

Field extractor created a regex that when I use as a search string doesn't work. The search string is:

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?P[^ ]+)"

If I plug this search string and test strings into regx101.com, I get matches.

Any ideas as to what may be wrong with the regex? The regex is generated on a Splunk server running 6.2.1, but I'm trying to use it as a search on a Splunk server running 6.0.1, but I wouldn't think that's an issue, but just wanted to note it in case.

Thx

0 Karma
Reply

jwalzerpitt
Influencer
‎01-14-2015 07:19 AM

Thx Rich. Worked except for the angle brackets which it strips out.

Regex is:

index=myidex sourcetype="unixs1" | head 10000 | rex "\\.info\\] Accepted keyboard-interactive for\\s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

0 Karma
Reply

jwalzerpitt
Influencer
‎01-14-2015 06:41 AM

After some fiddling around, I fixed the regex. For some reason, it needed two back slashes (apologize as earlier I said forward slashes) in front of .info, behind .info, and two back slashes before s+. Once I made those modification, the authuser field was extracted.

I'd like to post the regex for others, but every time I try and post it the back slash is causing problems. Any one know how to override the tags here?

Thx

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2015 07:11 AM

Put the regex inside backtics and the backslashes will be preserved.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2015 01:57 PM

Can you provide some sample log entries?

0 Karma
Reply

gesman
Communicator
‎01-13-2015 01:13 PM

Try this (angle brackets were missing around P):

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?<P>[^ ]+)"
0 Karma
Reply

jwalzerpitt
Influencer
‎01-13-2015 01:12 PM

Apologizes as the copy of the actual string failed because of the forward slashes and angle brackets in the regex. It should be:

index=unixs| rex "(forwardslash).info(forwardslash)] Accepted keyboard-interactive for(forwardslash)s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

When I enter that search string in, the authuser field name doesn't not appear

Thx

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2015 01:09 PM

What exactly do you mean by "doesn't work"? Are you matching the wrong text, not matching anything, or something else? Your rex command doesn't include a field name - you may want to try 

index=myindex | rex "\.info] Accepted keyboard-interactive for\s+(?P<fieldName>[^ ]+)"

if you want to use the matched text in subsequent commands.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top