Hi People,
I am trying to run a regex command to cut out a part of the REQ field,
On regex 101 it is working fine, however on Splunk it is causing problems and i get an unknown search command error
Here is the query i am using,
index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST"
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?\w*[^0-9]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page
I do not want the regex command to cut out pages with numbers in them, so i've included [^0-9] in there which works on regex 101 but Splunk does not like it, even when i use a backslash to block it out but it still doesn't pull out the data,
I've also tried using
index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST"
NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src]
| rename DIP as src, SIP as src CUST as username USR as username
| rex field=_raw REQ\=\".*\/(?[a-zA-Z_]+(\.jsp)?)\/?\"
| search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*"
| stats count by page
but this gives me the unknown search command :a error
Any help would be greatly appreciated,
Thanks
↧