Splunk Search

serverclass.conf whitelist regex issue: \w{3}S*ALTSIP*\d{1,2}

sylbaea
Communicator

Hello,

Does anybody see something wrong with this regex ?

\w{3}S*ALTSIP*\d{1,2}

When testing against my host list with regex101.com (PCRE mode), it works fine but it looks Splunk does not accept the "S*" / "P*" syntax.

Something like XXXALTSI00 is not matched while it should.

Regards.

0 Karma

sbbadri
Motivator

correct regex is \S+ALTSI\d+

0 Karma

sylbaea
Communicator

Indeed this one works for this case but purpose of my regex is to handle multiple cases such as:
- XXXALTSI00
- YYYSALTSI01
- ZZZALTSIP02
With the regex I developed, I am able to catch all of them in https://regex101.com but strangely I have to add your version to match the first one. I cannot explain why.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...