I am at a loss as to why the following is not working.
log:
2020-03-31 20:31:19,621 fail2ban.actions [709]: NOTICE [sshd] Unban 156.38.x.x
Query
index=main fail2ban.actions | regex _raw="[(?
I have double checked the regular expression with regex101 and "sshd" is captured in group jail.
Am i missing something?
Splunk Enterprise 8.0.2.1
index=main fail2ban.actions sshd
| rex "\[(?<jail>[a-z]+)\]"
| fields jail
regex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex
rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
what do you want to do?
[
is meta character.
your | regex _raw="[(?<jail>sshd)]"
searches the word sshd
see following:
\ general escape character with several uses
^ assert start of string (or line, in multiline mode)
$ assert end of string (or line, in multiline mode)
. match any character except newline (by default)
[ start character class definition
| start of alternative branch
( start subpattern
) end subpattern
? extends the meaning of (
also 0 or 1 quantifier
also quantifier minimizer
* 0 or more quantifier
+ 1 or more quantifier
also "possessive quantifier"
{ start min/max quantifier
index=main fail2ban.actions sshd
| rex "\[(?<jail>[a-z]+)\]"
| fields jail
regex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Regex
rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
what do you want to do?
[
is meta character.
your | regex _raw="[(?<jail>sshd)]"
searches the word sshd
see following:
\ general escape character with several uses
^ assert start of string (or line, in multiline mode)
$ assert end of string (or line, in multiline mode)
. match any character except newline (by default)
[ start character class definition
| start of alternative branch
( start subpattern
) end subpattern
? extends the meaning of (
also 0 or 1 quantifier
also quantifier minimizer
* 0 or more quantifier
+ 1 or more quantifier
also "possessive quantifier"
{ start min/max quantifier
That worked! thanks you. Why is it when I search for the exact match it returns nothing?
regex
is search, not field extract command.
so, field jail is missing.
@vlape_SCWX can you try something like the following:
index=main fail2ban.actions
| rex "\[(?<jail>sshd)\]"
| table jail _raw
Not sure what you want to pull with hard-coded sshd
For some reason the \ before [ was stripped when posting the question.
Hi
Use Code Sample or press Ctrl +k while posting your query