Field extractor created a regex that when I use as a search string doesn't work. The search string is:
index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?P[^ ]+)"
If I plug this search string and test strings into regx101.com, I get matches.
Any ideas as to what may be wrong with the regex? The regex is generated on a Splunk server running 6.2.1, but I'm trying to use it as a search on a Splunk server running 6.0.1, but I wouldn't think that's an issue, but just wanted to note it in case.
Thx Rich. Worked except for the angle brackets which it strips out.
index=myidex sourcetype="unixs1" | head 10000 | rex "\\.info\\] Accepted keyboard-interactive for\\s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"
After some fiddling around, I fixed the regex. For some reason, it needed two back slashes (apologize as earlier I said forward slashes) in front of .info, behind .info, and two back slashes before s+. Once I made those modification, the authuser field was extracted.
I'd like to post the regex for others, but every time I try and post it the back slash is causing problems. Any one know how to override the tags here?
Apologizes as the copy of the actual string failed because of the forward slashes and angle brackets in the regex. It should be:
index=unixs| rex "(forwardslash).info(forwardslash)] Accepted keyboard-interactive for(forwardslash)s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"
When I enter that search string in, the authuser field name doesn't not appear
What exactly do you mean by "doesn't work"? Are you matching the wrong text, not matching anything, or something else? Your
rex command doesn't include a field name - you may want to try
index=myindex | rex "\.info] Accepted keyboard-interactive for\s+(?P<fieldName>[^ ]+)"
if you want to use the matched text in subsequent commands.