Dashboards & Visualizations

unexpected close tag with regex

puneetgupz
New Member

I want to extract error code from the below text but getting unexpected closing tag. The name of the column in the Database is SERVICE_RESPONSE

Text:

Service execution forgetGCPPauseAndResumeCall Failed. Error -> Status Code - > 404, Status Text -> Not Found, Response Body ->{"message":"HTTP 404 Not Found","code":"not found","status":404,"contextId":"c496bcae-115b-456c-a557-3d5e2daae0b8","details":[],"errors":[]}. Check Business audit for more details

Solution1:

| rex field=SERVICE_RESPONSE "\"status\"\s*:\s*(?P<ERROR_CODE>\d+)"
//above expression is giving unexpected close tag

 

Solution2: 
| rex field=SERVICE_RESPONSE "&lt;dqt&gt;status&lt;dqt&gt;\:(?P<ERROR_CODE>.\w+)"

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The regex used in the rex command goes through multiple layers of parsing so it needs multiple escape characters for embedded quotation marks.

Solution 1:

| rex field=SERVICE_RESPONSE "\\\"status\\\"\s*:\s*(?P<ERROR_CODE>\d+)"

 Solution 2 won't work because regular expressions don't honor URL encoding.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I suspect the HTML entities were due to some copy-pasting magic, not as part of the regexes themselves.

As for the regex - I don't understand what @puneetgupz means by "unexpected close tag"

When unescaped, the regex works perfectly well in regex101 - https://regex101.com/r/mR5JiJ/1

(you don't need to escape the quotes in regex; just in a string in Splunk).

EDIT: OK. Escaping is needed but in another place

| rex field=SERVICE_RESPONSE "\"status\"\\s*:\\s*(?P<ERROR_CODE>\\d+)"
0 Karma

puneetgupz
New Member

Still getting the same error

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...