Splunk Dev

Error in "SearchParser" mismatched ']'

eid1550
New Member

I am using the python splunk SDK to run a query, and this part of the query is giving me the above mismatched brackets error.

| rex field=_raw "(?ms)^(?:[^\"\\n]*\"){6}(?P<Error_code>\\d+)(?:[^\"\\n]*\"){4}(?P<Error_description>[^\\\\]+)"

It works when I put it in the actual splunk search, but when I run it through python its giving me that error. What could be the problem?

Labels (1)
0 Karma
1 Solution

jawaharas
Motivator

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"

View solution in original post

0 Karma

eid1550
New Member

I figured it out after A LOT of trial and error. the following is the "python version" I kept printing what python say and kept modyifying it so it looks like the string in splunk IDE

| rex field=_raw "(?ms)^(?:[^\\"\\n]\\"){6}(?P\\d+)(?:[^\\"\\n]\\"){4}(?P[^\\\\]+)"

thank you for your help and guiding me in the right direction

0 Karma

jawaharas
Motivator

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"
0 Karma

eid1550
New Member

@jawaharas yeah it says the same thing "Error in search parser mis matched ']' its a nightmare.

0 Karma

jawaharas
Motivator

Glad, it worked out for you. Can you upvote and accept the answer if it's helped you? Thanks.

0 Karma

gaurav_maniar
Builder

Hi Eid,

You query regex works fine in Splunk web, but haven't checked with python.
As it is being used in python, the reason you are getting this error is most probably due to character escaping \\ at the end of your regex.

Try to play around character escapes at <Error_description>[^\\\\] and it will solve your problem.

0 Karma

eid1550
New Member

@gaurav_maniar Hi Gaurav! Yea that is part of it, but the issue also resides in the first half of the query for example the first half here "raw "(?ms)^(?:[^\"\n]*\"){6}(?P\d+)" also gives me the same error... what am i suppose to escape here?

0 Karma

jawaharas
Motivator

Can you share the Python snippet where you use the regex?

0 Karma

eid1550
New Member

@jawaharas Hi the python is just in a variable like this

query = """| rex field=_raw "(?ms)^(?:[^\"\n]\"){6}(?P\d+)(?:[^\"\n]\"){4}(?P[^\\]+)"""

then executed later.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...