Splunk Search

Why regex created with the Field Extractor utility is not working when used in a search?

Motivator

Field extractor created a regex that when I use as a search string doesn't work. The search string is:

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?P[^ ]+)"

If I plug this search string and test strings into regx101.com, I get matches.

Any ideas as to what may be wrong with the regex? The regex is generated on a Splunk server running 6.2.1, but I'm trying to use it as a search on a Splunk server running 6.0.1, but I wouldn't think that's an issue, but just wanted to note it in case.

Thx

0 Karma

Motivator

Thx Rich. Worked except for the angle brackets which it strips out.

Regex is:

index=myidex sourcetype="unixs1" | head 10000 | rex "\\.info\\] Accepted keyboard-interactive for\\s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

0 Karma

Motivator

After some fiddling around, I fixed the regex. For some reason, it needed two back slashes (apologize as earlier I said forward slashes) in front of .info, behind .info, and two back slashes before s+. Once I made those modification, the authuser field was extracted.

I'd like to post the regex for others, but every time I try and post it the back slash is causing problems. Any one know how to override the tags here?

Thx

0 Karma

SplunkTrust
SplunkTrust

Put the regex inside backtics and the backslashes will be preserved.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Revered Legend

Can you provide some sample log entries?

0 Karma

Communicator

Try this (angle brackets were missing around P):

index=myindex | rex "\.info\] Accepted keyboard-interactive for\s+(?<P>[^ ]+)"
0 Karma

Motivator

Apologizes as the copy of the actual string failed because of the forward slashes and angle brackets in the regex. It should be:

index=unixs| rex "(forwardslash).info(forwardslash)] Accepted keyboard-interactive for(forwardslash)s+(?P(anglebracket)authuser(anglebracket)[^ ]+)"

When I enter that search string in, the authuser field name doesn't not appear

Thx

0 Karma

SplunkTrust
SplunkTrust

What exactly do you mean by "doesn't work"? Are you matching the wrong text, not matching anything, or something else? Your rex command doesn't include a field name - you may want to try

index=myindex | rex "\.info] Accepted keyboard-interactive for\s+(?P<fieldName>[^ ]+)"

if you want to use the matched text in subsequent commands.

---
If this reply helps you, an upvote would be appreciated.
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!