https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/regex-not-functioning-properly-in-xql/m-p/581088#M6368 <P><SPAN>Hello everyone, I'm attempting to extract fields from DHCP logs but encounter an error stating, "Your query failed to run as it's invalid." my regex code works correctly on regex101 and CyberChef. Does anyone have any insights on how to troubleshoot the issue?</SPAN></P> <P><SPAN><BR /><BR /></SPAN></P> <P>dataset in(infoblox_infoblox_raw )<BR />|filter _raw_log ~=".*dhcpd.*" <BR />|alter event_raw = _raw_log <BR />|alter pid = arrayindex(regextract(_raw_log , "\[(\d+)\]:") ,0) ,<BR />Infobox_host = arrayindex(regextract(_raw_log , "(?:\s+([^\s]+)\s+)?dhcpd") ,0), <BR />mac_address = arrayindex(regextract(_raw_log , "DHCPDISCOVER\sfrom\s([A-Fa-f\d]{2}(?:[:-][A-Fa-f\d]{2}){5})") ,0) ,</P> <P>hostname1 = arrayindex(regextract(_raw_log , "DHCPDISCOVER\sfrom\s([A-Fa-f\d]{2}(?:[:-][A-Fa-f\d]{2}){5})\(([^)]+)\)") ,0)</P> <P>&nbsp;</P> <P>|fields hostname1, mac_address, pid, Infobox_host , _raw_log <BR />|limit 100</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Thanks</SPAN></P> Wed, 20 Mar 2024 17:25:00 GMT AmirSabei 2024-03-20T17:25:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/regex-not-functioning-properly-in-xql/m-p/581088#M6368 <P><SPAN>Hello everyone, I'm attempting to extract fields from DHCP logs but encounter an error stating, "Your query failed to run as it's invalid." my regex code works correctly on regex101 and CyberChef. Does anyone have any insights on how to troubleshoot the issue?</SPAN></P> <P><SPAN><BR /><BR /></SPAN></P> <P>dataset in(infoblox_infoblox_raw )<BR />|filter _raw_log ~=".*dhcpd.*" <BR />|alter event_raw = _raw_log <BR />|alter pid = arrayindex(regextract(_raw_log , "\[(\d+)\]:") ,0) ,<BR />Infobox_host = arrayindex(regextract(_raw_log , "(?:\s+([^\s]+)\s+)?dhcpd") ,0), <BR />mac_address = arrayindex(regextract(_raw_log , "DHCPDISCOVER\sfrom\s([A-Fa-f\d]{2}(?:[:-][A-Fa-f\d]{2}){5})") ,0) ,</P> <P>hostname1 = arrayindex(regextract(_raw_log , "DHCPDISCOVER\sfrom\s([A-Fa-f\d]{2}(?:[:-][A-Fa-f\d]{2}){5})\(([^)]+)\)") ,0)</P> <P>&nbsp;</P> <P>|fields hostname1, mac_address, pid, Infobox_host , _raw_log <BR />|limit 100</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Thanks</SPAN></P> Wed, 20 Mar 2024 17:25:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/regex-not-functioning-properly-in-xql/m-p/581088#M6368 AmirSabei 2024-03-20T17:25:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/regex-not-functioning-properly-in-xql/m-p/581154#M6372 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/138677">@AmirSabei</a>&nbsp;,</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>&nbsp;</P> <P>Based on your query it looks like the issue is with Hostname1 field.&nbsp;&nbsp;<SPAN>The regular expression matches a DHCPDISCOVER message followed by a MAC address and an IP address enclosed in parentheses. Can you confirm exactly what are you looking in hostname1 field?</SPAN></P> <P>&nbsp;</P> <P><SPAN>if you run without |fields hostname1 it works fine.</SPAN></P> Thu, 21 Mar 2024 07:18:40 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/regex-not-functioning-properly-in-xql/m-p/581154#M6372 aspatil 2024-03-21T07:18:40Z