- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: cisco asa add-on - default regex not working i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cisco asa add-on - default regex not working in UI with regex/rex command
Hello
I download cisco asa add-on from splunk base and in default folder/transforms.conf some regexes cannot be used in Splunk UI using regex/rex command as there is comming error for missing closing parenthesis but I dont understand as the regex is supposed to be correct as no customizations are made.
Its multiple regexes with same error so it seems that there is some difference between regex interpretator in splunk from transforms.conf and this in UI.
Can someone confirm this or explain why this happens?
exmaple regex :
[cisco_asa_message_id_302014_302016]
REGEX = -30201[46]:\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?
Error in 'rex' command: Encountered the following error while compiling the regex '\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\]+)\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\]+)\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?': Regex: missing closing parenthesis.
BTW: the regex is working fine in regex101.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see anything obviously wrong with the regex, so I stuck it into a run anywhere and added random closing parenthesis until it stopped complaining.
You have two closing parens, and it says it's missing the closing one. Ditto with if you add one to make it three closing parens. At 5, it shifts to telling you there's an unmatched one at the end. So, 4 is the magic number?
| makeresults | rex "-30201[46]:\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))))"
Yep, now it tells you that it doesn't match anything.
Now, why did it need two extra closing parens, and is it now still working properly? I don't know, because I don't have any sample data I can test with.
If that above helps you get where you need to go, well, accept this as a solution and give it a thumbs up! I suspect it won't, though... so if it doesn't help, can you provide a couple of sample events to match it to?
Thanks,
Rich
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
