topic Re: Error in 'SearchParser': Mismatched ']' in Splunk Dev

Why the error in 'SearchParser': Mismatched ']' when using Splunk?

BongoNations — Fri, 06 Jan 2023 22:21:52 GMT

Hi All, thanks for clicking on the question

This search works fine in Linux using grep, but I can't get it to work in Splunk. Please can you help..

I have imported a test.csv file that has many lines like the following

[ERROR] 2023/01/05 16:53:05 [!] Get "https://test.co.uk/sblogin/username": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I am simply just to trying to extract the username field after sblogin/ and nothing else after the "

This is the query I have tried that gives the Error in 'SearchParser': Mismatched ']'

source="test.csv" | rex field=raw_line "sblogin/([^"]+)" | eval extracted_string=substr(extracted_string, 9)

Re: Error in 'SearchParser': Mismatched ']'

richgalloway — Fri, 06 Jan 2023 13:47:24 GMT

Quotation marks must be triple-escaped in the rex command so they survive multiple layers of parsing.

source="test.csv" | rex field=raw_line "sblogin/([^\\\"]+)" | eval extracted_string=substr(extracted_string, 9)

Re: Error in 'SearchParser': Mismatched ']'

PickleRick — Fri, 06 Jan 2023 14:04:16 GMT

In this case - one backslash is enough 🙂 The quote is within a character class so it's treated literarily.

But in other cases it could indeed need more escaping. (and yes, escaping regexes can be a pain).

Re: Error in 'SearchParser': Mismatched ']'

BongoNations — Fri, 06 Jan 2023 14:05:25 GMT

Thanks Rich I just tried that and got this error

Error in 'rex' command: The regex 'sblogin/([^\"]+)' does not extract anything. It should specify at least one named group. Format: (?<name>...)

Re: Error in 'SearchParser': Mismatched ']'

BongoNations — Fri, 06 Jan 2023 14:30:07 GMT

Even with one backslash I get the same error

source="test.csv"
| rex field=raw_line "sblogin/([^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

Error in 'rex' command: The regex 'sblogin/([^\"]+)' does not extract anything. It should specify at least one named group. Format: (?<name>...)

Re: Error in 'SearchParser': Mismatched ']'

richgalloway — Fri, 06 Jan 2023 14:34:00 GMT

We're making progress. All that remains is to do as the message says and put a name to the capture group.

source="test.csv" | rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)" | eval extracted_string=substr(extracted_string, 9)

Re: Error in 'SearchParser': Mismatched ']'

BongoNations — Fri, 06 Jan 2023 15:16:53 GMT

Thanks I ran this query and it worked, but the output was basically everything, all text from the query lines. The usernames after sblogin/ were not specifically outputted on their own?

source="test.csv"
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

I was hope to just see all the usernames and nothing else?

Re: Error in 'SearchParser': Mismatched ']'

richgalloway — Fri, 06 Jan 2023 16:42:39 GMT

We continue to make progress.

The rex command merely extracts fields. The extracted fields are added to the existing set of fields. To control which fields are shown in the results, use the fields or table command.

source="test.csv" | rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)" | eval extracted_string=substr(extracted_string, 9) | table extracted_string

BTW, the substr function is looking for the 9th character in extracted_string. In the example data, extracted_string is "username", which doesn't have 9 characters so substr returns nothing.