- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk App for Unix and Linux Bad Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for Unix and Linux Bad Regex
I've installed the v8.2.0 Splunk App for Unix and Linux on my search head per the instructions in the documentation. However, restarting Splunk throws an error of:
Bad regex value: '(?::){0}*', of param: props.conf / [(?::){0}*]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.
This appears to be coming from the {%appdir%}\default\props.conf file:
## Dropdowns
[(?::){0}*]
LOOKUP-dropdowns = dropdownsLookup host OUTPUT unix_category unix_group
As a result, the Metrics page in the app is non-functional.
Is anyone else having this issue? What did you do resolve it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, the regex is indeed a faulty one. Let's analyze
(?: - non-capturing group
: - a literal colon
) - end of a group
So (?::) should match a literal colon withou creating a named or counted capture group.
And now is where the "magic" happens:
{0} - zero (sic!) repetitions of previous group.
Which means that the regex matches any empty string (or rather any "space" between characters).
Oh, and at the end you have a lone asterisk which should follow some token but doesn't so it's definitely some mistake in regex definition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it looks like the author may have wanted to express something along "any repetition of a character that is not a colon", or in regex terms "(?:[^:])+", an asterisk would also match the space between two colons.
YMMV
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tracked my error down to the Splunk for unix app using btool. https://splunkbase.splunk.com/app/273/
splunk btool validate-regex
Bad regex value: '(?::){0}*', of param: props.conf / [(?::){0}*]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features.
splunk btool props list --debug | find {0}
Splunk\etc\apps\splunk_app_for_nix\default\props.conf [(?::){0}*]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing the same thing after upgrading our splunk. Have you managed to figure out what's up with the message?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, still an open issue. No one from support will address it either. Guessing I'll have to talk to an account manager to get any traction on the problem.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
