All Apps and Add-ons

Splunk_TA_bluecoat-proxysg "Bad regex value" error after upgrade from Splunk 6.2.6 to 6.3.5

pjohnson1
Path Finder

Hello,

After we upgraded Splunk to 6.3.5, our Splunk_TA_bluecoat-proxysg started producing a bad regex error:

btool.log

Bad regex value: '(?[^;]+)', of param: transforms.conf / [bluecoat_categories] / REGEX; why: unrecognized character after (? or (?- transforms.conf

transforms.conf

[bluecoat_categories]
SOURCE_KEY = cs_categories
REGEX = (?[^;]+)
MV_ADD = true

Thanks again!

0 Karma

michael_sleep
Communicator

As someone already mentioned it's difficult to understand what that regex is supposed to be doing. My understanding from the example data and the "bluecoat_categories" stanza you posted is that it should be taking this block of log data:

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - -

And pulling out this value:

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet

But what you're actually looking for is:

Technology/Internet;Non-Viewable/Infrastructure

The regex for extracting that is wrong here and in the link you posted. But it's probably supposed to be this...:

(?:[^;]+)

It is basically saying "Capture everything except a semicolon and then stop" which seems like it wouldn't work that well. So while I think the regex I just posted is the 'correct' regex, I don't think it's very good.

Maybe try this:

^(?:[^ \n]* ){12}\"([^\"]*)\"

Translated this means:

Start at the beginning of the log line. Match everything except spaces and a newline 12 times (I'm assuming a single space is the only delimiter between these columns and doesn't occur in the fields leading up to it... can change it if necessary), at which point capture everything that occurs after a quotation mark before encountering a quotation mark.

0 Karma

twinspop
Influencer

It's not clear to me from the info provided what the regex will be doing, but it's definitely lot legit. I'd try removing the '?' from the regex and see if you get good results in your searches.

REGEX = ([^;]+)
0 Karma

pjohnson1
Path Finder

That's strange. That transform was taken from https://answers.splunk.com/answers/408911/splunk-add-on-for-blue-coat-proxysg-has-anyone-got.html.

It was a fix for the Bluecoat SGOS 6.6x. extractions.

Here is a sample log entry and the bluecoat category is "Technology/Internet;Non-Viewable/Infrastructure":

2016-07-27 01:44:37 82 aaa.bbb.ccc.ddd - - liveupdate.symantecliveupdate.com 173.222.148.19 None - - OBSERVED "Technology/Internet;Non-Viewable/Infrastructure" - 200 TCP_NC_MISS GET application/zip http liveupdate.symantecliveupdate.com 80 /sepc$20virus$20definitions$20win64$20$28x64$29$2012.1$20ru6_microdefsb.curdefs_symalllanguages_livetri.zip - zip "SEP/12.1.6318.6100, MID/{AE0696BC-BC71-CDA9-C292-88E224F7E9F3}, SID/59" 166.45.51.140 7735 447 - "Symantec Live Update" "Update Software" unavailable 27222a8161c3a978-0000000000bc77b0-0000000057981205 - -
0 Karma

twinspop
Influencer

\¯_(ツ)_/¯ It was wrong there too. (?[ is invalid regex. The older splunk must have been more forgiving. Dropping the question mark should make it work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...