topic Re: 'SearchParser': Missing a search command before '^' in Splunk Search

'SearchParser': Missing a search command before '^'

maria_n — Tue, 03 Dec 2019 16:19:19 GMT

I am trying to extract fields Environment and Service with below search and receiving the error 'SearchParser': Missing a search command before '^'.
I got the rex command from Splunk field extractor screen, however, this error comes up in the search window.

index=***  base search    |  rex field=message "^[^\\\n]*\\"(?P<Environment>[^\\]+)[^=\n]*=\\"(?P<Service>[^\\]+)"

Sample event:

{ "__CURSOR" : "s=ccf7ccd2666b481c880c3a36c2d0d504;i=71c1b4;b=423aef85e8a745d785e26ea9b1611d92;m=9cd3993341;t=598cb4887fb24;x=29d41973a54be13c", "__REALTIME_TIMESTAMP" : "1575373746207524", "__MONOTONIC_TIMESTAMP" : "673564930881", "_BOOT_ID" : "423aef85e8a745d785e26ea9b1611d92", "_UID" : "0", "_GID" : "0", "_CAP_EFFECTIVE" : "1fffffffff", "_SYSTEMD_SLICE" : "system.slice", "_MACHINE_ID" : "6be70c13152f40488b5f3b3847dc2bd0", "_HOSTNAME" : "ocf-splunk-nonprod-linux-1", "_TRANSPORT" : "stdout", "PRIORITY" : "6", "_STREAM_ID" : "f5dbc3d1330f4783bf0586cfaad9a4fc", "SYSLOG_IDENTIFIER" : "polling_url.sh", "_PID" : "2345", "_COMM" : "cat", "_EXE" : "/usr/bin/cat", "_CMDLINE" : "/bin/cat", "_AUDIT_SESSION" : "8872", "_AUDIT_LOGINUID" : "0", "_SYSTEMD_CGROUP" : "/system.slice/crond.service", "_SYSTEMD_UNIT" : "crond.service", "MESSAGE" : "2019-12-03 05:49:05, Environment=\"OTS STRESS(CDC)\", Service=\"services-orderdetails-stress.apps.cdc-b.lle.xpaas.kohls\", WSDL_Service=\"KohlsOrderService\", Status=404, Response_Time=0.244, Endpoint=\"https://oms-services-orderdetails-stress.apps.cdc-b.lle.xpaas.kohls.com/ots_orderstatus/KohlsOrderService?wsdl\"" }

Re: 'SearchParser': Missing a search command before '^'

Sukisen1981 — Wed, 04 Dec 2019 08:14:21 GMT

can you specify what fields you are trying to extract from the sample event?

Re: 'SearchParser': Missing a search command before '^'

Sukisen1981 — Wed, 04 Dec 2019 08:25:18 GMT

try this

|rex field=_raw "Environment\=+\\\+\"(?<env>.*?)\\\\+\"+\,+\s+Service\=+\\\+\"(?<serv>.*?)\\\\"|table env,serv

Re: 'SearchParser': Missing a search command before '^'

woodcock — Wed, 04 Dec 2019 10:03:46 GMT

NEVER let splunk build RegEx OR pick timestamps. Like this:

| makeresults 
| eval _raw="{ \"__CURSOR\" : \"s=ccf7ccd2666b481c880c3a36c2d0d504;i=71c1b4;b=423aef85e8a745d785e26ea9b1611d92;m=9cd3993341;t=598cb4887fb24;x=29d41973a54be13c\", \"__REALTIME_TIMESTAMP\" : \"1575373746207524\", \"__MONOTONIC_TIMESTAMP\" : \"673564930881\", \"_BOOT_ID\" : \"423aef85e8a745d785e26ea9b1611d92\", \"_UID\" : \"0\", \"_GID\" : \"0\", \"_CAP_EFFECTIVE\" : \"1fffffffff\", \"_SYSTEMD_SLICE\" : \"system.slice\", \"_MACHINE_ID\" : \"6be70c13152f40488b5f3b3847dc2bd0\", \"_HOSTNAME\" : \"ocf-splunk-nonprod-linux-1\", \"_TRANSPORT\" : \"stdout\", \"PRIORITY\" : \"6\", \"_STREAM_ID\" : \"f5dbc3d1330f4783bf0586cfaad9a4fc\", \"SYSLOG_IDENTIFIER\" : \"polling_url.sh\", \"_PID\" : \"2345\", \"_COMM\" : \"cat\", \"_EXE\" : \"/usr/bin/cat\", \"_CMDLINE\" : \"/bin/cat\", \"_AUDIT_SESSION\" : \"8872\", \"_AUDIT_LOGINUID\" : \"0\", \"_SYSTEMD_CGROUP\" : \"/system.slice/crond.service\", \"_SYSTEMD_UNIT\" : \"crond.service\", \"MESSAGE\" : \"2019-12-03 05:49:05, Environment=\\\"OTS STRESS(CDC)\\\", Service=\\\"services-orderdetails-stress.apps.cdc-b.lle.xpaas.kohls\\\", WSDL_Service=\\\"KohlsOrderService\\\", Status=404, Response_Time=0.244, Endpoint=\\\"" 
| spath 
| rex "\\\"MESSAGE\\\"\s*:\s*\\\"(?<message>.*)" 
| rex field=message "Environment=\\\\\\\"(?<Environment>[^\\\]+)\S+\s+Service=\\\\\\\"(?<Service>[^\\\]+)"