Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why regex in search query is now failing, but used to work for months prior?

smashedpumpkins
Explorer
‎09-16-2014 09:40 AM

Today or sometime in the last week a query of mine stopped working. It worked before and should work now. The following AND (sourcetype="" ) should be removed when matched. I used the following...

| rex field=search mode=sed "s/AND\s\(sourcetype=\"\"\s\)//g"

It's worked for months. After breaking the regex down piece by piece I found that the rex fails when it comes to the parenthesis. I can pull out everything between or outside the parenthesis but not the entire string.

Any ideas what might break rexing the parenthesis? This seems like it should be something minor but nothing changed in the query. I'm not sure if our Splunk admins did anything to Splunk but I fail to see how that would affect this query. Thanks!

Tags (3)
0 Karma
Reply

eddit0r
Explorer
‎11-19-2014 07:14 PM

I don't think the parentheses are the issue, more the trailing space, I think that is being trimmed by the parser.

What happens if you make the final \s in that regex optional (using a ?)

My test was the following search: index=_internal | head 1 | eval test="AND (sourcetype=\"\") " | rex field=test mode=sed "s/AND\s\(sourcetype=\"\"\s?\)/foo123/g"

It replaces the string fine with the final \s? but not with \s alone.

See: KV_TRIM_SPACES in props.conf

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

0 Karma
Reply

smashedpumpkins
Explorer
‎11-20-2014 09:20 AM

Thank you for the response; this is actually still an issue I never resolved. I attempted your solution with no luck. When I wrote the question I mistyped the bolded text and added a space. The following is a more accurate example of the search normalized with correct spacing and line breaks added for readability. As you can see in the index5 line, the text was not regex out. I do successfully regex out several other strings before being normalized.

| eval logSource=case 
( index="index1" AND ( sourcetype=xxxxx OR sourcetype=xxxxxx OR sourcetype=xxxxxxx ) , "Logs 1" , 
index="index2" AND ( sourcetype=xxxxx ) , "Logs 2" , 
index="index3" AND ( sourcetype=xxxxx ) , "Logs 3" , 
index="index4" AND ( sourcetype=xxxxx ) , "Logs 4" , 
index="index5" AND ( sourcetype="" ) , "Logs 5" ,
1=1, "Unknown" )
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-16-2014 01:58 PM

I don't see anything obviously wrong with the regex. You did compare data from back when things worked to after things broke, right?

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...