How to search for regex on all lines of file

AQuebman 2023-05-22 18:20:52 UTC #1

I am trying to searching this particular file across all lines and look for this regex expression and limit to three computer names. I know the computer name piece works but I can’t seem to get the fixlet to run without failure to search for these lines across the entire file instead of looking for specific lines. I tried a query previously looking for specific strings of text but the spacing or tabbing forced me into doing a regex query to eliminate that concern. Not sure how to set this in such a way to get the result i’m seeking.

if {(exists file "/tmp/Query.txt" whose (lines of it = regex("123456[[:space:]]+FE[[:space:]]+FI[[:space:]]+FO[[:space:]]+FUM[[:space:]]+0"))) AND (computer name) as lowercase contains "1" or (computer name) as lowercase contains "2" or (computer name) as lowercase contains "3"}

JasonWalker 2023-05-22 19:25:02 UTC #2

You can actually avoid the if/then/else by using the plural “files”. I believe you also want to check whether any lines contain the regex. I’m away from computer now and can’t test, but try

Exists matches( regex(“123456[[:space:]]+FE[[:space:]]+FI[[:space:]]+FO[[:space:]]+FUM[[:space:]]+0”)) of lines of files “/tmp/Query.txt”

AQuebman 2023-05-22 19:48:03 UTC #3

So I actually think I want the if/then/else structure because I am going to be doing this several times in the same action script to look for various regex expressions and then act accordingly. Now I can use that same query you posted within the if statement but it I can tell it returns as false because it doesn’t make the changes id expect.

JasonWalker 2023-05-22 19:57:47 UTC #4

Ok, then, the syntax might be

If exists files "/tmp/Query.txt" whose (exists lines whose (it contains regex(THE-REGEX)) of it) then THE-THING else THE-OTHER-THING

The key is looping through ‘lines of it’ and comparing the regex to each line

AQuebman 2023-05-22 20:36:56 UTC #5

Hmm so it’s not erroring but it’s still falling out of the if then loop for some reason. Does this formatting look right to you?

if exists files "/tmp/Query.txt" whose (exists lines whose (it contains regex("123456[[:space:]]+FE[[:space:]]+FI[[:space:]]+FO[[:space:]]+FUM[[:space:]]+BUM[[:space:]]+0")) of it) then

JasonWalker 2023-05-22 20:39:44 UTC #6

Yes, the format looks correct…changing it to a file I have on my system, this gives the correct results:

q: if exists files "C:\Temp\Query.txt" whose (exists lines whose (it contains regex("123456[[:space:]]+FE[[:space:]]+FI[[:space:]]+FO[[:space:]]+FUM[[:space:]]+BUM[[:space:]]+0")) of it) then "Yes" else "No"
A: Yes

AQuebman 2023-05-23 12:48:25 UTC #7

I think your code is right something is just not right on my end. Ill dive into it. Thanks Jason.

AQuebman 2023-05-23 18:27:21 UTC #8

I found part of my issue so this only works on windows for some reason. When I run the same statement on linux it fails. Do I need to handle regex differently between the two?

JasonWalker 2023-05-23 20:01:33 UTC #9

Hm. Yes, but what I gave should have worked cross-platform.

(on Windows and a few others, we could have used \s in the place of [[:space:]] but I’d expect [[:space:]] to work on all)

JasonWalker 2023-05-23 20:08:25 UTC #10

What form of Linux are you on? This works for me (on RHEL 8 with BigFix 10.0.8) , matching on both tabs and spaces… the ‘%09’ in the ‘lines of file’ result below is a tab character.

Q: if exists files "/tmp/Query.txt" whose (exists lines whose (it contains regex("123456[[:space:]]+FE[[:space:]]+FI[[:space:]]+FO[[:space:]]+FUM[[:space:]]+BUM[[:space:]]+0")) of it) then "Yes" else "No"
A: Yes
T: 249
I: string

Q: lines of files "/tmp/Query.txt"
A:
A: 123456%09 FE FI FO FUM BUM 0

Can you try the ‘lines of file’ in the qna utility ( /opt/BESClient/bin/qna ) and paste in the line that you expect should match? I wonder if there are other unprintable characters in the line, that would be represent by a %xx, that may not match against [[:space:]]

edit: also what version of client is running

AQuebman 2023-05-23 20:24:02 UTC #11

So I think I found the issue it appears because the txt file I am looking at was tab delimited it wasn’t matching but I thought that [[:space:]] would match tabbing as well as spaces and various other spacing situations. So I am still a tad confused but I will just have to change the file I am creating so it’s not being tabbed out.

JasonWalker 2023-05-23 21:04:51 UTC #12

[[:space:]] should match spaces, tabs, newlines, and several other whitespace characters (and on my snippet above, it did, at least on Red Hat 8.

I’d look at the output from a ‘lines of file’ query to see whether there are other unprintable characters there.

We use different regex libraries for each OS, so it’s possible to have a bug in one that behaves differently from others. Which Linux distro and version are you using?

AQuebman 2023-05-24 12:45:30 UTC #13

Suse Linux Enterprise Server 12 SP4

JasonWalker 2023-05-24 13:38:36 UTC #14

Can you run this as a test

q: exists matches(regex("test[[:space:]]+test")) of "test %09 test2"