Splunk Search

Why regex created with the Field Extractor utility is not working when used in a search?

jwalzerpitt
Influencer

Field extractor created a regex that when I use as a search string doesn't work. The search string is:

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?P[^ ]+)"

If I plug this search string and test strings into regx101.com, I get matches.

Any ideas as to what may be wrong with the regex? The regex is generated on a Splunk server running 6.2.1, but I'm trying to use it as a search on a Splunk server running 6.0.1, but I wouldn't think that's an issue, but just wanted to note it in case.

Thx

0 Karma

jwalzerpitt
Influencer

Thx Rich. Worked except for the angle brackets which it strips out.

Regex is:

index=myidex sourcetype="unixs1" | head 10000 | rex "\\.info\\] Accepted keyboard-interactive for\\s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

0 Karma

jwalzerpitt
Influencer

After some fiddling around, I fixed the regex. For some reason, it needed two back slashes (apologize as earlier I said forward slashes) in front of .info, behind .info, and two back slashes before s+. Once I made those modification, the authuser field was extracted.

I'd like to post the regex for others, but every time I try and post it the back slash is causing problems. Any one know how to override the tags here?

Thx

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Put the regex inside backtics and the backslashes will be preserved.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
Revered Legend

Can you provide some sample log entries?

0 Karma

gesman
Communicator

Try this (angle brackets were missing around P):

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?<P>[^ ]+)"
0 Karma

jwalzerpitt
Influencer

Apologizes as the copy of the actual string failed because of the forward slashes and angle brackets in the regex. It should be:

index=unixs| rex "(forwardslash).info(forwardslash)] Accepted keyboard-interactive for(forwardslash)s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

When I enter that search string in, the authuser field name doesn't not appear

Thx

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What exactly do you mean by "doesn't work"? Are you matching the wrong text, not matching anything, or something else? Your rex command doesn't include a field name - you may want to try

index=myindex | rex "\.info] Accepted keyboard-interactive for\s+(?P<fieldName>[^ ]+)"

if you want to use the matched text in subsequent commands.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...