Splunk Search

help to capture with rex an event

Caio_Santos
Path Finder

hello everybody, following is the event that i'm trying to capture with rex.

[2010-08-05 17:51:11,661][info] INFO com.porto.infra.security.SecurityUtil [5c815c81] getUsuario() - Foi chamado, mas Authentication.Principal = NULL -> Exception throwed
[2010-08-05 17:51:11,662][info] INFO com.porto.infra.security.portal.PortalUtil [5c815c81] PreAuthenticatedRequestInfo() - Usuario nao existe - SecurityUtil.getUsuario() retornou Exception getUsuario() - Usuário precisa estar autenticado para chamar esta função

I'm using this regex

\b\]\s\w+(\(\))

i'm trying to capture just the one in bold without the '] '


The error that I'm getting on splunk when I attempt to use that rex command:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<=[[\w\d]+]\s)(\w+()))': Regex: lookbehind assertion is not fixed length

Tags (2)
0 Karma
1 Solution

ftk
Motivator

This regex will work:

(?<=\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(\w+\(\))

[Edit: rex usage] To use this in rex you can simply change the lookbehind to a non-capturing group and give a field name (in this case "function") to your capturing group:

search terms | rex "(?:\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(?<function>\w+\(\))"

View solution in original post

thepocketwade
Path Finder

In the future you can try using the 'erex' command, which will take examples you give it as in

... | erex monthday examples="7/01, 07/02" counterexamples="99/2"

It will give you a regex that will work to pull out your examples.

0 Karma

ftk
Motivator

see updated answer RE: rex usage

0 Karma

ftk
Motivator

This regex will work:

(?<=\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(\w+\(\))

[Edit: rex usage] To use this in rex you can simply change the lookbehind to a non-capturing group and give a field name (in this case "function") to your capturing group:

search terms | rex "(?:\[\d+-\d+-\d+\s\d+:\d+:\d+,\d+\]\[\w+\].*\[\S+\]\s)(?<function>\w+\(\))"

ftk
Motivator

I updated the answer.

0 Karma

Caio_Santos
Path Finder

i got this error on splunk when I tryed to use the referenced command:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<=[\d+-\d+-\d+\s\d+:\d+:\d+,\d+][\w+].*[\S+]\s)(\w+())': Regex: lookbehind assertion is not fixed length

what is it supposed to be ?

0 Karma

ftk
Motivator

Lookarounds will work in splunk's props.conf for field extractions.

0 Karma

ftk
Motivator

tested fine for me. Tried it in Expresso, http://regexlib.com/RETester.aspx, and http://gskinner.com/RegExr/.

0 Karma

Caio_Santos
Path Finder

i got what you did, but i'm not sure if i need to setup something else like making the lookaround flag on. Because even in my regex tester this is not working.

Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...