ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
branden2
Absent Member.
Absent Member.
‎2011-06-28 21:35
162 views

Hair-pulling regex issue?

Jump to solution

Working on my FlexConnector... So close to having it working...

Unfortunately it's not capturing any events. Every single (50,000+) event reports this in the ArcSight log (log modified slightly for anonymity):

[2011-06-28 16:17:32,565][WARN ][default.com.arcsight.agent.sdk.a.p][parseValues] Message [230.864.286.207 - - [14/Jul/2009:12:22:29 -0400] "POST /psc/FQ9/EMPLOYEE/ERP/c/ARCHIVING.ARCH_PRJ.GBL HTTP/1.1" 200 20156 ] did not match the common regular expression [(\d+\.\d+\.\d+\.\d+)\s+\S+\s+\S+\s+\[([^\]]+)]\s+"(\S+)\s+(\S+)\s+(\S+\/\d+\.\d+)"\s+(\d+)\s+(\d+)], ignoring...

If you run that log event through the regex tool, it shows up as valid.

I've attached my properties file.

Running out of gas on this FC...

Thanks!

Labels (2)
Tags (1)
Preview file
1 KB
0 Likes
Report Inappropriate Content
1 Solution

Accepted Solutions
chrisb1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2011-06-28 21:38

Jump to solution

The logline has an extra space at the end.  Add .* to the end of the regex to capture anything extra and it should match.  It works on the regex tool because we think we're smarter than computers and don't copy and paste the extra space when testing

(\d+\.\d+\.\d+\.\d+)\s+\S+\s+\S+\s+\[([^\]]+)]\s+"(\S+)\s+(\S+)\s+(\S+\/\d+\.\d+)"\s+(\d+)\s+(\d+).*

View solution in original post

0 Likes
Report Inappropriate Content
3 Replies
chrisb1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2011-06-28 21:38

Jump to solution

The logline has an extra space at the end.  Add .* to the end of the regex to capture anything extra and it should match.  It works on the regex tool because we think we're smarter than computers and don't copy and paste the extra space when testing

(\d+\.\d+\.\d+\.\d+)\s+\S+\s+\S+\s+\[([^\]]+)]\s+"(\S+)\s+(\S+)\s+(\S+\/\d+\.\d+)"\s+(\d+)\s+(\d+).*

View solution in original post

0 Likes
Report Inappropriate Content
branden2
Absent Member.
Absent Member.
‎2011-06-28 21:40

Jump to solution

You are a genius, my friend!

0 Likes
Report Inappropriate Content
chrisb1
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2011-06-28 21:43

Jump to solution

Nah, I just learned the Edison way :  "I have not failed 700 times. I have not failed once. I have succeeded in proving that those 700 ways will not work. When I have eliminated the ways that will not work, I will find the way that will work." -- Edison

0 Likes
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.