Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why regex created with the Field Extractor utility is not working when used in a search?

jwalzerpitt
Influencer
‎01-13-2015 12:59 PM

Field extractor created a regex that when I use as a search string doesn't work. The search string is:

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?P[^ ]+)"

If I plug this search string and test strings into regx101.com, I get matches.

Any ideas as to what may be wrong with the regex? The regex is generated on a Splunk server running 6.2.1, but I'm trying to use it as a search on a Splunk server running 6.0.1, but I wouldn't think that's an issue, but just wanted to note it in case.

Thx

0 Karma
Reply

jwalzerpitt
Influencer
‎01-14-2015 07:19 AM

Thx Rich. Worked except for the angle brackets which it strips out.

Regex is:

index=myidex sourcetype="unixs1" | head 10000 | rex "\\.info\\] Accepted keyboard-interactive for\\s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

0 Karma
Reply

jwalzerpitt
Influencer
‎01-14-2015 06:41 AM

After some fiddling around, I fixed the regex. For some reason, it needed two back slashes (apologize as earlier I said forward slashes) in front of .info, behind .info, and two back slashes before s+. Once I made those modification, the authuser field was extracted.

I'd like to post the regex for others, but every time I try and post it the back slash is causing problems. Any one know how to override the tags here?

Thx

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2015 07:11 AM

Put the regex inside backtics and the backslashes will be preserved.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2015 01:57 PM

Can you provide some sample log entries?

0 Karma
Reply

gesman
Communicator
‎01-13-2015 01:13 PM

Try this (angle brackets were missing around P):

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?<P>[^ ]+)"
0 Karma
Reply

jwalzerpitt
Influencer
‎01-13-2015 01:12 PM

Apologizes as the copy of the actual string failed because of the forward slashes and angle brackets in the regex. It should be:

index=unixs| rex "(forwardslash).info(forwardslash)] Accepted keyboard-interactive for(forwardslash)s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

When I enter that search string in, the authuser field name doesn't not appear

Thx

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2015 01:09 PM

What exactly do you mean by "doesn't work"? Are you matching the wrong text, not matching anything, or something else? Your rex command doesn't include a field name - you may want to try 

index=myindex | rex "\.info] Accepted keyboard-interactive for\s+(?P<fieldName>[^ ]+)"

if you want to use the matched text in subsequent commands.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...