Getting below errors in Splunk search-heads for FireEye app
ERROR SearchOperator:kv - Cannot compile RE \"[\w-\.]{1,30})\"\s*(sid=\"(?\d*)")?\s*(stype=\"(?[\w-]{1,30})\")?\" for transform 'EXTRACT-malware-info_for_fireeye': Regex: invalid range in character class.
The fireeye app version installed is 3.1.1 on splunk 7.0.3
Not sure, why I'm getting such an error when installing FireEye app in Splunk . Please help.
config modified as below and and errors got vanished
EXTRACT-malware-info_for_fireeye =<malware\sname=\"(?<malware_name>[\w-]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?
config modified as below and and errors got vanished
EXTRACT-malware-info_for_fireeye =<malware\sname=\"(?<malware_name>[\w-]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?
Hi,
If you are running Fireeye 3.1.1 then fe_xml_syslog
config should be like this in Fireeye app props.conf
EXTRACT-malware-info_for_fireeye = <malware\sname=\"(?<malware_name>[\w-\.]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?
However error which you have provided is not extracting capturing group into any field so your regex is invalid.
yes, in fireeye app props.conf we have same fe_xml_syslog config , it was not modified
EXTRACT-malware-info_for_fireeye = <malware\sname=\"(?<malware_name>[\w-\.]{1,30})\"\s*(sid=\"(?<malware_sid>\d*)")?\s*(stype=\"(?<malware_stype>[\w-]{1,30})\")?