topic Re: Mismatch '[' error in field extraction using regular expression in Splunk Search

Mismatch '[' error in field extraction using regular expression

Manonmani5 — Wed, 18 Apr 2018 08:20:09 GMT

I am a new splunk user and apologies for this dump question. I tried to extract a field with the fort "servername:portnumber"

( ex: sd45j478889:23684) using field extractor.

I got the below regular expression in field extractor.

^(?:[^"\n]*"){8}\s+(?P[^ ]+)

This didn't worked for all the events because of different sourcetypes. So I tried to use this regex in my search. When I used this in my search I am getting "Mismatch '[' " error. Below is the query I used.

index= xyz | rex "^(?:[^"\n]*"){8}\s+(?P[^ ]+)"|table Port

I couldn't find what is wrong with the expression. can someone please help

Re: Mismatch '[' error in field extraction using regular expression

p_gurav — Wed, 18 Apr 2018 08:24:04 GMT

Can you try:

| rex "^(?:[^\"\n]*"){8}\s+(?P[^ ]+)"

Also try :

| rex "(?P<servername>[^\:]+):(?P<portnumber>+)"

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Wed, 18 Apr 2018 10:09:08 GMT

Thanks. It didn't worked. For the second one 'I got error as 'Error in 'rex' command: Encountered the following error while compiling the regex '(?P[^:]+):(?P+)': Regex: nothing to repeat'.

And for the first I got error like 'Error in 'SearchParser': Missing a search command before '^'. Error at position '64' of search query 'search index= spider_prod | rex "^(?:[^\"\n]*"){8...{snipped} {errorcontext = (?P[^ ]+)"}'.'

Below is the search condition I used for the first one.

index= xyz | rex "^(?:[^\"\n]*"){8}\s+(?P[^ ]+)"

Re: Mismatch '[' error in field extraction using regular expression

p_gurav — Wed, 18 Apr 2018 10:22:44 GMT

Can you try :

| rex field= _raw "(?P<servername>[^\:]+):(?P<portnumber>+)"

Re: Mismatch '[' error in field extraction using regular expression

p_gurav — Wed, 18 Apr 2018 10:24:55 GMT

Also one question servername:portnumber is always same the way you specified in example. Is it field or you are extracting from raw event. Can you provide whole event?

Re: Mismatch '[' error in field extraction using regular expression

kthammireddygar — Wed, 18 Apr 2018 10:35:54 GMT

Can you please provide the whole event.

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Wed, 18 Apr 2018 11:40:25 GMT

Yes.. The format is same... But the server name and port number will be different based on servers. While executing the above regex I am getting error as "The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...). "

Re: Mismatch '[' error in field extraction using regular expression

p_gurav — Wed, 18 Apr 2018 11:55:04 GMT

I already made a group called servername and portnumber above? My mistake, remove space:

| rex field=_raw "(?P<servername>[^\:]+):(?P<portnumber>+)"

Re: Mismatch '[' error in field extraction using regular expression

Sukisen1981 — Wed, 18 Apr 2018 11:57:54 GMT

can you give a sample of your raw event?

Re: Mismatch '[' error in field extraction using regular expression

niketn — Wed, 18 Apr 2018 16:19:11 GMT

@Manonmani5 while posting sample event or code, please use the code button (101010 or CTRL+K) on Splunk Answers to ensure that special characters in your code or sample data does not get escaped. Alternatively you can add four spaces before each line of your code and make sure there is an enter before the first line of code.

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Thu, 19 Apr 2018 11:48:07 GMT

30.130.51.1 eps.vincetryu.com - [19/Apr/2018:07:44:36 -0400] "GET /tyywuenndri/css/select2.png HTTP/1.1" 200 613 "https://eps.nyuehrnf.com/ajeunx/css/select2.css" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "3373" "ij10k222:25898"

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Thu, 19 Apr 2018 11:49:17 GMT

Above is the sample event . I have to extract "ij10k222.25898" from the event

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Thu, 19 Apr 2018 11:52:51 GMT

This is the error I am getting."Error in 'rex' command: Encountered the following error while compiling the regex '(?P[^:]+):(?P+)': Regex: nothing to repeat"
Sample Event:
[19/Apr/2018:07:44:36 -0400] "GET /tyywuenndri/css/select2.png HTTP/1.1" 200 613 "https://eps.nyuehrnf.com/ajeunx/css/select2.css" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "3373" "ij10k222:25898"

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Thu, 19 Apr 2018 11:53:13 GMT

[19/Apr/2018:07:44:36 -0400] "GET /tyywuenndri/css/select2.png HTTP/1.1" 200 613 "https://eps.nyuehrnf.com/ajeunx/css/select2.css" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "3373" "ij10k222:25898"

Re: Mismatch '[' error in field extraction using regular expression

kthammireddygar — Thu, 19 Apr 2018 12:16:25 GMT

Try this :

index=abc sourcetype=xyz | rex "\"(?P<Servername>\w+)\:(?P<Portnumber>\d+)\""

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Mon, 23 Apr 2018 08:28:06 GMT

Thanks.. This worked for me

Re: Mismatch '[' error in field extraction using regular expression

Manonmani5 — Mon, 23 Apr 2018 08:29:50 GMT

May I know what was the problem with the below regex.

^(?:[^"\n]*"){8}\s+(?P[^ ]+)

This expression I got when I extracted the field using 'Field Extractor'