Jump to content

Recommended Posts

I'm a new PHP users needing some help. I've got two code snippets that run a CURL post to a syslog server grabbing specific records that I then parse with regex. Both are similar differing in the specific CURL URL and Regex. One works does not. The failing program seems to fail the regex parse creating a null array. What I've done thus far. Tested the regex on regex101 (works fine, using PCRE). Dumped and echoed the CURL created variable and then rechecked against regex101. ( again all good) Created a static variable in the code of the CURL return string (regex works fine). 

So the CURL is working, the variable string is working appearing as expected and the regex works. But the variable feels like's it null when passed directly from the CURL to the regex. No error logs, but this is where I'm stuck I don't know what to pick at next.  Here's a version of the code. Appreciate any thoughts. 

<?php


//DHCP URL Setup
$login = 'testuser';
$password = 'xxxxxxx';
$headers = array( 
                 "Cache-Control: no-cache", 
                );
$url = 'https://xxx.xxx.xxx:8089/services/search/jobs/export';
$post2 = "search=search sourcetype=infoblox:dhcp dhcp_type=DHCPACK \"e4:f8:9c:82:66:8a\" earliest=-7d | head 1";
$chain = "C:\\apps-su\\wamp64\\apps\\phpmyadmin4.9.2\\libraries\\certs\\splunk-syr-edu-chain.pem";
// curl begins
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://splunk.syr.edu:8089/services/search/jobs/export');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($ch, CURLOPT_USERPWD, "$login:$password");

$str = curl_exec($ch);
curl_close($ch);

// curl steps ends


echo '<p>Match After CURL </p>';
echo '<p>' . $str . '</p>';
echo "<br>";
var_dump ($str)
// Regex Routine

//$str = '_bkt _cd _indextime _kv _raw _serial _si _sourcetype _time dhcp_type host index linecount source sourcetype splunk_server Configuration initialization for /opt/splunk/etc took 17ms when dispatching a search (search ID: 1591198882.902292) Your search was restricted by ( ( index=nat OR index=network OR index=radius ) OR ( source=/data/syslog/security/ipblocker ) ) base lispy: [ AND 66 82 8a 9c dhcpack e4 f8 sourcetype::infoblox:dhcp [ OR index::nat index::network index::radius source::/data/syslog/security/ipblocker ] ] search context: user="testuser", app="search", bs-pathname="/opt/splunk/etc" Your timerange was substituted based on your search string network~978~07708B5A-37B1-4315-8EFA-70B96D12856C 978:118251396 1591198398 1 Jun 3 11:33:15 128.230.100.36 dhcpd[21353]: DHCPACK on 10.1.0.19 to e4:f8:9c:82:66:8a (ITS-NDD-BOA-T01) via bond0 relay bond0 lease-duration 7200 0 its-splunk-idx2.syr.edu network infoblox:dhcp 2020-06-03 11:33:15.000 EDT DHCPACK 128.230.100.36 network 1 /data/syslog/network/dhcp infoblox:dhcp its-splunk-idx2.syr.edu';
$regex2 = '/(DHCPACK on )(?<IP>(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)))( to )(?<mac>([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))(( \(([^)(]*?)\) via))/';
if (preg_match_all($regex2, $str $matches)) {
    //  regex expression matches 
    echo "<h1>Found a match!</h1>";
    
    echo "<br>";
    echo '<p>Device ' . ' " ' . $matches[13][0] .  ' " ' . ' ( MAC  = ' . $matches[8][0] . ' ) ' .  '  authenticated with IP  = ' . $matches[3][0] .  '</p>';
    echo "<br>";
} else {
    // Regex Does Not Match
        echo "<h1>The regex pattern does not match.<h2>";{
        if (preg_last_error() == PREG_BACKTRACK_LIMIT_ERROR) {
    print 'Backtrack limit was exhausted!';
        } else {
            // some other error_get_last
        echo "<h1>Due to unknown error.<h2>";
        }
}
}
 ?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.