Splunk Search

REX and Props.conf not extracting fields on some regex in version 4.3.3

ng1p
Path Finder

While using a good regex to grab everything after the ip addess and before the time stamps of the following Netdisco log file I could not get my Splunk 4.3.3 search heads to match. I also for a test turned on the web interface on my indexers and found the same problem. Both are running 4.3.3 build 128297.

Here is a sample of the log:

1c:6f:65:0c:e1:61 172.1.0.1 FastEthernet4/13 1332864535 1342584229
70:f3:95:12:af:09 172.1.0.1 FastEthernet5/24 1332864535 1342584229
70:f3:95:12:cc:19 172.1.0.1 FastEthernet3/12 1332864535 1342584229
f0:de:f1:3e:00:c8 172.1.0.1 FastEthernet4/16 1332864535 1342562547
00:1e:37:2f:c5:90 172.1.0.1 4.18 1332770653 1342584117
00:50:56:96:16:7c 172.1.0.1 GigabitEthernet2/0/10 1336706871 1342584112
00:50:56:bd:00:35 172.1.0.1 GigabitEthernet1/0/9 1336706871 1342584112

In my props.conf I have this line “That doesn’t work in Splunk (the field switch_port never shows) “but does work using web based regex testing sites like "rubular and regexr”

EXTRACT-switch_port = (?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(?<switch_port>[\w\/.:]+)

I took this a few steps further by trying a simple rex command in the web interface on both the search heads and the indexers as follows:

index=network sourcetype=mac_data | rex "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(?<switch_ports2>[\w\/.:]+)"

That still had no matches. I had my Sales Engineer take the sample log entry from above and was able to make this work fine in Splunk 4.3.1 build 119532. Is this a bug with 4.3.3? Or is something else on my end causing this issue? I did open a Splunk ticket on this but wanted to get some feedback from others. Also will post any findings here. Splunk ticket is "CASE [90835] : Rex and Props.conf extraction not working"

All the other extractions are working fine for this sourcetype. Here is the full props on this sourcetype:

[mac_data]
EXTRACT-mac = (?i)(?<mac>[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2})
EXTRACT-switch_ip = (?i)(?<switch_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
EXTRACT-switch_port = (?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(?<switch_port>[\w\/.:]+)
Tags (1)

Rob
Splunk Employee
Splunk Employee

Could you please try changing your original regex character class so that it is similar to the following:

EXTRACT-switch_port = (?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s(?<switch_port>[\w:\/.]+)

...and see if that will work better for you? The PCRE library was updated with 4.3 and it has become slightly stricter with how it is used.

Alternatively, you may want to try the following regex:

EXTRACT-switch_port = (?i)(?:\d{1,3}\.){3}\d{1,3}\s+(?<switch_port>\S+)\s+

0 Karma

ng1p
Path Finder

This is not a great answer but it worked for me.. I hope someone can explain this further. I got this to work trying serveral regex's until one worked in Splunk. Support was no help at all and was very slow to respond at all on this one.

To get this to work I changed the switch port line in props.conf from this:
EXTRACT-switch_port = (?i)\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s(?[\w\/.:]+)

To this:
EXTRACT-switch_port = (?i)^(?:[^.]*.){3}\d+\s+(?[^ ]+)

This new one did the trick. Its very strange that both will work in other installs of Splunk but not in my production Splunk. So I still have a problem that others may not have.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...