Splunk Search

serverclass.conf whitelist regex issue: \w{3}S*ALTSIP*\d{1,2}

Communicator

Hello,

Does anybody see something wrong with this regex ?

\w{3}S*ALTSIP*\d{1,2}

When testing against my host list with regex101.com (PCRE mode), it works fine but it looks Splunk does not accept the "S*" / "P*" syntax.

Something like XXXALTSI00 is not matched while it should.

Regards.

0 Karma

Motivator

correct regex is \S+ALTSI\d+

0 Karma

Communicator

Indeed this one works for this case but purpose of my regex is to handle multiple cases such as:
- XXXALTSI00
- YYYSALTSI01
- ZZZALTSIP02
With the regex I developed, I am able to catch all of them in https://regex101.com but strangely I have to add your version to match the first one. I cannot explain why.

0 Karma