Solved: Re: rex fails to match files (regex expression wor...

immutableT · ‎09-15-2023

Hello,
There must be something `rex` specific with my query below since it is not extracting the fields, while the regex works as expected when I test on regex101 (see https://regex101.com/r/g0TMS4/1)

eventtype="my_event_type"
| rex field=responseElements.assumedRoleUser.arn /arn:aws:sts::(?<accountId>\d{12}):assumed_role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*./
| fields accountId, assumedRole, userId

Sample data that fails to match:
arn:aws:sts::984086324016:assumed-role/foo-admin-app/vault-oidc-foo-admin-app-1687793763-Qen4JHeRXYlB8Eoplkjs

Thanks
Alex.

ITWhisperer · ‎09-16-2023

Firstly, you don't need the / at the beginning and end of the regex string in the rex command, if anything these should be replace with double quotes. Secondly, you have an underscore instead of a hyphen in your regex (assumed-role) which doesn't match with your sample data

| rex field=responseElements.assumedRoleUser.arn "arn:aws:sts::(?<accountId>\d{12}):assumed-role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*."

View solution in original post

PickleRick · ‎09-16-2023

Also, you don't have to escape slashes in the regex.

ITWhisperer · ‎09-16-2023

Firstly, you don't need the / at the beginning and end of the regex string in the rex command, if anything these should be replace with double quotes. Secondly, you have an underscore instead of a hyphen in your regex (assumed-role) which doesn't match with your sample data

| rex field=responseElements.assumedRoleUser.arn "arn:aws:sts::(?<accountId>\d{12}):assumed-role\/(?<assumedRoled>.*)\/vault-oidc-(?<userId>\w+)-*."

How does rex fails to match files (regex expression works as expected on regex101)?

regex

rex

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector