On startup, Splunk checks its config files, and reports back any errors. If ever you come across one that complains about a regular expression with the message “Range not in class”, then the fix is relatively simple. For those not familiar with regular expressions, it can seem like a bit of a minefield. However, this post will explain why you’re getting that message, and how to fix it.
In regular expressions, it’s possible to specify that you’re looking for a range of things, for example the letters a-z, or the numbers 0-9. You do this with square brackets:
However, if you’ve written a regular expression that is looking for a range, as well as the specific literal character for a dash, you must escape it when in the square brackets. If you don’t, Splunk will treat it as you asking for the thing on the left of the dash to the thing on the right. So if I was to expand on the earlier example:
The regex above isn’t asking for a-z, dash, or 0-9. It’s asking for a-z, z-0, and 0-9. The problem is that z-0 can’t work, as one is a string and the other is an int. You can’t have ranges across types. In this case, we can correct the offending regex like so: