Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Regex command causing the search to not work - unknown search command

$
0
0
Hi People, I am trying to run a regex command to cut out a part of the REQ field, On regex 101 it is working fine, however on Splunk it is causing problems and i get an unknown search command error Here is the query i am using, index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src] | rename DIP as src, SIP as src CUST as username USR as username | rex field=_raw REQ\=\".*\/(?\w*[^0-9]+(\.jsp)?)\/?\" | search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*" | stats count by page I do not want the regex command to cut out pages with numbers in them, so i've included [^0-9] in there which works on regex 101 but Splunk does not like it, even when i use a backslash to block it out but it still doesn't pull out the data, I've also tried using index=was_unauth sourcetype=ibm:was:jmx ReqMethod="POST" NOT [| inputlookup policy_wlist_ipaddr_digital_ | fields src] | rename DIP as src, SIP as src CUST as username USR as username | rex field=_raw REQ\=\".*\/(?[a-zA-Z_]+(\.jsp)?)\/?\" | search src!="10.0.0.0/8" src!="141.92.0.0/16" NOT username=* page!="phoneauthentication" AND page!="1*" | stats count by page but this gives me the unknown search command :a error Any help would be greatly appreciated, Thanks

Viewing all articles
Browse latest Browse all 47296

Trending Articles