topic Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid? in Splunk Enterprise

Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

CaninChristellC — Wed, 10 Jun 2020 16:56:07 GMT

With the following search:

index=digitalguardian | transaction Computer_Name | rex  (?<=\\)(?<SiteCode>.{3})(?=-)

I get the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<=)(?.{3})(?=-)': Regex: missing closing parenthesis

Testing the regex in a Regex tester (specifically regex101.com) the regex tests as valid, and properly matches the intended characters. Further, examining the expression there seems to be a proper number of parenthesis (opening and closing) both in the expression and error message.

Why is Splunk handling this regular expression in this manner?

Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

CaninChristellC — Thu, 16 Feb 2017 23:07:38 GMT

Upon further review, it appears that Splunk is choking on the escaped backslash, and interpreting it as escaping the parenthesis mark. As one might expect, removing the first backslash to not escape the backslash also produces the same error.

Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

vasanthmss — Thu, 16 Feb 2017 23:12:33 GMT

some sample data would help ful?

Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

CaninChristellC — Thu, 16 Feb 2017 23:19:07 GMT

As in for the Computer_Name field? It doesn't even attempt to run the regex, it just dies on compiling the regex. The problem isn't that it's not matching the Regex, it's that it dies before it even attempts to match the Regex.

Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

acharlieh — Thu, 16 Feb 2017 23:59:33 GMT

I am admittedly curious about the use of positive lookahead and behind, as opposed to just matching the slash and dash characters outright as it seems like this would add steps to your regex matching, but in any case....

This might be worth a filing a bug on your support contract, as it does seem fairly odd (I tried things out on both Splunk 6.3.8 and 6.5.2)

I think you want | rex "\\\(?<SiteCode>.{3})-" No it doesn't pass regex101's checker, but I think Splunk may be reading the argument to rex as a string, so backslash escaping is happening with the simple reading of the string so then too few slashes are present when it then goes to parse the regex. It seems to work fine with 3 or 4 backslashes... Try these run anywhere queries:

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  (?<=\\\)(?<SiteCode>.{3})(?=-)

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  \\\(?<SiteCode>.{3})-

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  "\\\(?<SiteCode>.{3})-"

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  "\\\\(?<SiteCode>.{3})-"

Offtopic... regarding your search, I think transaction should preserve values from extracted fields, so you should be able to invert your rex and transaction command, which if you're in a distributed environment would mean your rex would be distributed to your indexers instead of having to run on your search head after the transaction command occurs.

Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

aaraneta_splunk — Mon, 20 Mar 2017 02:48:55 GMT

@CaninChristellCOP - Did the answer provided by acharlieh help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

AshChakor — Wed, 30 Sep 2020 00:16:38 GMT

I have similar error. My following search in splunkUI works fine

index="appIndex*" host="somehost" | fields TransUID | rex field=_raw "^[^[\n]*[(?P[^]]+)"| transaction TransUID

But when I use the same query in javascript (SplunkJS) in my webapp I get following error.

Error in 'rex' command: Encountered the following error while compiling the regex '^[^[ ]*[(?P[^]]+)': Regex: unmatched closing parenthesis

Re: Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

AshChakor — Wed, 30 Sep 2020 00:16:42 GMT

Thanks acharlieh.
It's working after I changed it to *\[(?P[^]]+)".

index="appIndex*" host="somehost" | rex field=_raw "^[^[\n]*\[(?P[^]]+)" | transaction TransUID