Splunk Search

Why regex created with the Field Extractor utility is not working when used in a search?

jwalzerpitt
Influencer

Field extractor created a regex that when I use as a search string doesn't work. The search string is:

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?P[^ ]+)"

If I plug this search string and test strings into regx101.com, I get matches.

Any ideas as to what may be wrong with the regex? The regex is generated on a Splunk server running 6.2.1, but I'm trying to use it as a search on a Splunk server running 6.0.1, but I wouldn't think that's an issue, but just wanted to note it in case.

Thx

0 Karma

jwalzerpitt
Influencer

Thx Rich. Worked except for the angle brackets which it strips out.

Regex is:

index=myidex sourcetype="unixs1" | head 10000 | rex "\\.info\\] Accepted keyboard-interactive for\\s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

0 Karma

jwalzerpitt
Influencer

After some fiddling around, I fixed the regex. For some reason, it needed two back slashes (apologize as earlier I said forward slashes) in front of .info, behind .info, and two back slashes before s+. Once I made those modification, the authuser field was extracted.

I'd like to post the regex for others, but every time I try and post it the back slash is causing problems. Any one know how to override the tags here?

Thx

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Put the regex inside backtics and the backslashes will be preserved.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
Revered Legend

Can you provide some sample log entries?

0 Karma

gesman
Communicator

Try this (angle brackets were missing around P):

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?<P>[^ ]+)"
0 Karma

jwalzerpitt
Influencer

Apologizes as the copy of the actual string failed because of the forward slashes and angle brackets in the regex. It should be:

index=unixs| rex "(forwardslash).info(forwardslash)] Accepted keyboard-interactive for(forwardslash)s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

When I enter that search string in, the authuser field name doesn't not appear

Thx

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What exactly do you mean by "doesn't work"? Are you matching the wrong text, not matching anything, or something else? Your rex command doesn't include a field name - you may want to try

index=myindex | rex "\.info] Accepted keyboard-interactive for\s+(?P<fieldName>[^ ]+)"

if you want to use the matched text in subsequent commands.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...