웹 UI의 정규표현식은 \나 \\를 모두 \로 인식한다. 결과적으로 \]를 특수문자로 인식해서 문자클래스가 완성되지 못함.
\\\를 입력해야 세 번째 \를 순수문자 \로 인식.
설정 파일에서는
다음은 props.conf와 transforms.conf 내역.
[winevent]REPORT-test= test[test]SOURCE_KEY = MessageREGEX = User: ([^\\\]+)\\\(\S+)FORMAT = test1::$1 test2::$2선행하는 \\를 순수문자 \로 인식하면서 세 번째 \는 다시 특수문자로 동작. 결과적으로 문자클래스가 완성되지 않는다.
PS C:\Splunk\bin> .\splunk.exe restartSplunkd: Stopped
Splunk> Be an IT superhero. Go home early.
Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes... (skipping validation of index paths because not running as LocalSystem) Validated: _audit _configtracker _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket apache apache_basic evtx history iis iis_basic main pcap secure secure_basic summary test winevent winfirewall Done Checking filesystem compatibility... Done Bad regex value: 'User: ([^\\\]+)\\\(\S+)', of param: transforms.conf / [test] / REGEX; why: missing terminating ] for character class One or more regexes in your configuration are not valid. For details, please see btool.log or directly above. Done Checking default conf files for edits... Validating installed files against hashes from 'C:\Splunk\splunk-9.1.3-d95b3299fa65-windows-64-manifest' All installed files intact. DoneAll preliminary checks passed.
Starting splunk server daemon (splunkd)...
Splunkd: Starting (pid 24296)Done
Waiting for web server at http://127.0.0.1:8000 to be available.... Done
If you get stuck, we're here to help.Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://MHKANG:8000\\로 수정.
[test]SOURCE_KEY = MessageREGEX = User: ([^\\]+)\\(\S+)FORMAT = test1::$1 test2::$2
관련 글
댓글 없음:
댓글 쓰기