hello everybody, following is the event that i'm trying to capture with rex.
[2010-08-05 17:51:11,661][info] INFO com.porto.infra.security.SecurityUtil [5c815c81] getUsuario() - Foi chamado, mas Authentication.Principal = NULL -> Exception throwed
[2010-08-05 17:51:11,662][info] INFO com.porto.infra.security.portal.PortalUtil [5c815c81] PreAuthenticatedRequestInfo() - Usuario nao existe - SecurityUtil.getUsuario() retornou Exception getUsuario() - Usuário precisa estar autenticado para chamar esta função
I'm using this regex
\b\]\s\w+(\(\))
i'm trying to capture just the one in bold without the '] '
The error that I'm getting on splunk when I attempt to use that rex command:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<=[[\w\d]+]\s)(\w+()))': Regex: lookbehind assertion is not fixed length
This regex will work:
(?<=\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(\w+\(\))
[Edit: rex usage] To use this in rex you can simply change the lookbehind to a non-capturing group and give a field name (in this case "function") to your capturing group:
search terms | rex "(?:\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(?<function>\w+\(\))"
In the future you can try using the 'erex' command, which will take examples you give it as in
... | erex monthday examples="7/01, 07/02" counterexamples="99/2"
It will give you a regex that will work to pull out your examples.
see updated answer RE: rex usage
This regex will work:
(?<=\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(\w+\(\))
[Edit: rex usage] To use this in rex you can simply change the lookbehind to a non-capturing group and give a field name (in this case "function") to your capturing group:
search terms | rex "(?:\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(?<function>\w+\(\))"
I updated the answer.
i got this error on splunk when I tryed to use the referenced command:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<=[\d+-\d+-\d+\s\d+:\d+:\d+,\d+][\w+].*[\S+]\s)(\w+())': Regex: lookbehind assertion is not fixed length
what is it supposed to be ?
Lookarounds will work in splunk's props.conf for field extractions.
tested fine for me. Tried it in Expresso, http://regexlib.com/RETester.aspx, and http://gskinner.com/RegExr/.
i got what you did, but i'm not sure if i need to setup something else like making the lookaround flag on. Because even in my regex tester this is not working.
Thanks