FireEye Error

arkonner · ‎05-18-2018

During the splunk server restart and written into _internal index the error reported below is displayed - seems to be introduced by the default configuration on which the app is provided.

Well, any help you that you could give us to solve the error would be appreaciated.

index=_internal eventtype="splunkd-log" log_level=ERROR

05-17-2018 19:07:52.840 +0200 ERROR SearchOperator:kv - Cannot compile RE \"[\w-.]{1,30})\"\s*(sid=\"(?\d*)")?\s*(stype=\"(?[\w-]{1,30})\")?\" for transform 'EXTRACT-malware-info_for_fireeye': Regex: invalid range in character class

sriley_splunk · ‎01-21-2020

I found you need to move the hyphen to the end of your capture group.

[\w\.-]

instead of:

[\w-\.]

The full line would be:

<malware\sname=\"(?<malware_name>[\w\.-]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?

Azeemering · ‎05-18-2018

This means that the regex string in the inline field extraction called malware-info_for_fireeye is deemed not correct.
Go to Settings-->Fields-->Field Extractions.
First thing I would do is check if the regex there has not been modfied from the original app by anyone.

It looks to me like it has been modified maybe?
The original is <malware\sname=\"(?<malware_name>[\w-\.]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?

Second I would use regex101.com or regexr.com to check if the regex string is actually correct and works as design

FireEye Error

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes