I have log messages that look like the following:
Aug 4 11:13:57 craig gnome-keyring-daemon[2252]: PROMPT OUTPUT: [transport]
Aug 4 11:15:01 craig CRON[10865]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 4 11:25:51 craig sudo: craig : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/bin/bash
Aug 4 08:57:56 craig xscreensaver: pam_unix(xscreensaver:auth): auth could not identify password for [craig]
I'm trying to extract:
gnome-keyring-daemon
CRON
sudo
xscreensaver
The regex generated by the field extraction tool is giving me "any character that is not a left bracket": [^\[]+
What I need is "any character that is not a left bracket or colon", such as [^\[|:]+ But if I put that in, the field extraction utility throws an error.
But for some reason Splunk doesn't like the standard "|" for OR. How can I write a field extraction that is the equivalent of "any character that is not a left bracket or colon"?
Thx.
Craig
The pipe character is not used for alternation when specifying a character in a character class, i.e., what is inside of []
or [^]
sets is not a regular expression, but listing sets of characters. This has nothing to do with Splunk, but is standard for most regex, including PCRE. Therefore, the correct character class specification is: [^\[:]
.
Also, I don't know why you have the extra backslash in your question. You need it if you're using rex
in a search expression to quote the backslash, but when providing the regex directly, such as in the config file or the regex creator, it is wrong.
The pipe character is not used for alternation when specifying a character in a character class, i.e., what is inside of []
or [^]
sets is not a regular expression, but listing sets of characters. This has nothing to do with Splunk, but is standard for most regex, including PCRE. Therefore, the correct character class specification is: [^\[:]
.
Also, I don't know why you have the extra backslash in your question. You need it if you're using rex
in a search expression to quote the backslash, but when providing the regex directly, such as in the config file or the regex creator, it is wrong.
Oh great. Splunkbase is adding the extra backslashes. Exactly what it should not be doing.
I think the regex is \w+\s\d+\s\d+:\d+:\d+\s\w+\s([^:[]+)
The double backslashes are likely due to a bug on splunk-base that duplicates backslashes (see your own answer as well).