topic Re: Regex throwing Mismatch Mismatched ']' in search in Splunk Search

Regex throwing Mismatch Mismatched ']' in search

Manoshanni — Fri, 15 May 2020 08:28:58 GMT

I am a beginner for Regex and Splunk. I am trying to use regular expression generated during field extraction in online search because I have different sourcetypes. While using the regex i am getting Mismatched ']'. error.

rex "^[^[\n][(?P[^ ]+)[^"\n]"\w+(?P\s+/\w+)"

Re: Regex throwing Mismatch Mismatched ']' in search

PavelP — Fri, 15 May 2020 08:56:11 GMT

Hello @Manoshanni

this regex is not correct, you can test it here: https://regex101.com/

Post few raw events here so somebody can help you to build a correct regex. Regexes created using field extraction tool are usually not very practical.

Re: Regex throwing Mismatch Mismatched ']' in search

cpetterborg — Fri, 15 May 2020 08:59:47 GMT

Please edit the example regex above and make it be code text formatted by using the 101010 formatting button to make it so that all your characters are visible. It's likely that the* characters can be guessed, but there could be other characters that are missing.

Re: Regex throwing Mismatch Mismatched ']' in search

ololdach — Fri, 15 May 2020 09:05:59 GMT

Hi,
all brackets () [] {} always have to come in pairs. They all have special meanings in regex and must be closed. The "Mismatch" error tells you that you have a bracket that is missing its counterpart. It's hard to tell exactly what you need, because you've not included the data sample and the result you'd like to get, but I assume that you want something like this:
rex "^[[^\n][(?<fieldnameA)[^ ]+)[^\"\n]\"\w+(?<fieldnameB>\s+/\w+)"
Note the two \" that differ from your regex. Since the " closes your regex string prematurely (giving you a bracket error), they need to be escaped by \" if you want to search your data for a " character. Also, you might want to include fieldnames in your regex.
Hope it helps
Oliver

Re: Regex throwing Mismatch Mismatched ']' in search

Manoshanni — Fri, 15 May 2020 09:29:22 GMT

I am trying to extract data from web server logs.

Below are the sample logs, I am trying to extract the timestamp and the application the call is hitting. Doing this for primarily getting the web traffic

[15/May/2020:03:51:10 -0400] "GET /ironpc/services/restapi....
[15/May/2020:03:50:10 -0400] "GET /ironjp/rest/userdata...

Re: Regex throwing Mismatch Mismatched ']' in search

ololdach — Fri, 15 May 2020 09:35:49 GMT

Hi,
try this: | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/(?<app>\w+)/"`
HiH
Oliver

Re: Regex throwing Mismatch Mismatched ']' in search

PavelP — Fri, 15 May 2020 09:49:57 GMT

@Manoshanni

if this one of the major web servers than there is an add-on for it, which does the parsing of all/most fields for you:

https://splunkbase.splunk.com/app/3186/ Apache / httpd

https://splunkbase.splunk.com/app/3258/ nginx

etc

Re: Regex throwing Mismatch Mismatched ']' in search

Manoshanni — Fri, 15 May 2020 11:01:05 GMT

Thank you. But its not matching the pattern

Re: Regex throwing Mismatch Mismatched ']' in search

ololdach — Fri, 15 May 2020 11:06:13 GMT

How so? It is on my side of the screen 🙂
| makeresults | eval _raw="[15/May/2020:03:51:10 -0400] \"GET /ironpc/services/restapi...." | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/(?<app>\w+)/"
Maybe the event data is not in the _raw field? What part is not matching?

Re: Regex throwing Mismatch Mismatched ']' in search

Manoshanni — Fri, 15 May 2020 12:19:50 GMT

Time field is extracting as expected. App field is returning values as PC,JP

Re: Regex throwing Mismatch Mismatched ']' in search

ololdach — Mon, 18 May 2020 09:41:26 GMT

Hi Manoshanni, I solved you initial question, telling you why the error occurred. I gave you a regex that works like a charm on the data that you have provided and your comment PC, JP makes no sense to me. If you would like to ignore the "iron" and just return the "pc", "jp" ... you should have only had those in bold. | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/iron(?<app>\w+)/"