doubleb Posted June 5, 2020 Share Posted June 5, 2020 I'm a new PHP users needing some help. I've got two code snippets that run a CURL post to a syslog server grabbing specific records that I then parse with regex. Both are similar differing in the specific CURL URL and Regex. One works does not. The failing program seems to fail the regex parse creating a null array. What I've done thus far. Tested the regex on regex101 (works fine, using PCRE). Dumped and echoed the CURL created variable and then rechecked against regex101. ( again all good) Created a static variable in the code of the CURL return string (regex works fine). So the CURL is working, the variable string is working appearing as expected and the regex works. But the variable feels like's it null when passed directly from the CURL to the regex. No error logs, but this is where I'm stuck I don't know what to pick at next. Here's a version of the code. Appreciate any thoughts. <?php //DHCP URL Setup $login = 'testuser'; $password = 'xxxxxxx'; $headers = array( "Cache-Control: no-cache", ); $url = 'https://xxx.xxx.xxx:8089/services/search/jobs/export'; $post2 = "search=search sourcetype=infoblox:dhcp dhcp_type=DHCPACK \"e4:f8:9c:82:66:8a\" earliest=-7d | head 1"; $chain = "C:\\apps-su\\wamp64\\apps\\phpmyadmin4.9.2\\libraries\\certs\\splunk-syr-edu-chain.pem"; // curl begins $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'https://splunk.syr.edu:8089/services/search/jobs/export'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $post2); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY); curl_setopt($ch, CURLOPT_USERPWD, "$login:$password"); $str = curl_exec($ch); curl_close($ch); // curl steps ends echo '<p>Match After CURL </p>'; echo '<p>' . $str . '</p>'; echo "<br>"; var_dump ($str) // Regex Routine //$str = '_bkt _cd _indextime _kv _raw _serial _si _sourcetype _time dhcp_type host index linecount source sourcetype splunk_server Configuration initialization for /opt/splunk/etc took 17ms when dispatching a search (search ID: 1591198882.902292) Your search was restricted by ( ( index=nat OR index=network OR index=radius ) OR ( source=/data/syslog/security/ipblocker ) ) base lispy: [ AND 66 82 8a 9c dhcpack e4 f8 sourcetype::infoblox:dhcp [ OR index::nat index::network index::radius source::/data/syslog/security/ipblocker ] ] search context: user="testuser", app="search", bs-pathname="/opt/splunk/etc" Your timerange was substituted based on your search string network~978~07708B5A-37B1-4315-8EFA-70B96D12856C 978:118251396 1591198398 1 Jun 3 11:33:15 128.230.100.36 dhcpd[21353]: DHCPACK on 10.1.0.19 to e4:f8:9c:82:66:8a (ITS-NDD-BOA-T01) via bond0 relay bond0 lease-duration 7200 0 its-splunk-idx2.syr.edu network infoblox:dhcp 2020-06-03 11:33:15.000 EDT DHCPACK 128.230.100.36 network 1 /data/syslog/network/dhcp infoblox:dhcp its-splunk-idx2.syr.edu'; $regex2 = '/(DHCPACK on )(?<IP>(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)))( to )(?<mac>([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))(( \(([^)(]*?)\) via))/'; if (preg_match_all($regex2, $str $matches)) { // regex expression matches echo "<h1>Found a match!</h1>"; echo "<br>"; echo '<p>Device ' . ' " ' . $matches[13][0] . ' " ' . ' ( MAC = ' . $matches[8][0] . ' ) ' . ' authenticated with IP = ' . $matches[3][0] . '</p>'; echo "<br>"; } else { // Regex Does Not Match echo "<h1>The regex pattern does not match.<h2>";{ if (preg_last_error() == PREG_BACKTRACK_LIMIT_ERROR) { print 'Backtrack limit was exhausted!'; } else { // some other error_get_last echo "<h1>Due to unknown error.<h2>"; } } } ?> Quote Link to comment Share on other sites More sharing options...
requinix Posted June 5, 2020 Share Posted June 5, 2020 Splunk should be returning to you XML, not text. What is a sample of the XML? There's a better way to search for the DHCPACK than regular expressions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.