Developing for Splunk Enterprise

Error in "SearchParser" mismatched ']'

New Member

I am using the python splunk SDK to run a query, and this part of the query is giving me the above mismatched brackets error.

| rex field=_raw "(?ms)^(?:[^\"\\n]*\"){6}(?P<Error_code>\\d+)(?:[^\"\\n]*\"){4}(?P<Error_description>[^\\\\]+)"

It works when I put it in the actual splunk search, but when I run it through python its giving me that error. What could be the problem?

Labels (1)
0 Karma
1 Solution

Motivator

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"

View solution in original post

0 Karma

New Member

I figured it out after A LOT of trial and error. the following is the "python version" I kept printing what python say and kept modyifying it so it looks like the string in splunk IDE

| rex field=_raw "(?ms)^(?:[^\\"\\n]\\"){6}(?P\\d+)(?:[^\\"\\n]\\"){4}(?P[^\\\\]+)"

thank you for your help and guiding me in the right direction

0 Karma

Motivator

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"

View solution in original post

0 Karma

New Member

@jawaharas yeah it says the same thing "Error in search parser mis matched ']' its a nightmare.

0 Karma

Motivator

Glad, it worked out for you. Can you upvote and accept the answer if it's helped you? Thanks.

0 Karma

Hi Eid,

You query regex works fine in Splunk web, but haven't checked with python.
As it is being used in python, the reason you are getting this error is most probably due to character escaping \\ at the end of your regex.

Try to play around character escapes at <Error_description>[^\\\\] and it will solve your problem.

0 Karma

New Member

@gaurav_maniar Hi Gaurav! Yea that is part of it, but the issue also resides in the first half of the query for example the first half here "raw "(?ms)^(?:[^\"\n]*\"){6}(?P\d+)" also gives me the same error... what am i suppose to escape here?

0 Karma

Motivator

Can you share the Python snippet where you use the regex?

0 Karma

New Member

@jawaharas Hi the python is just in a variable like this

query = """| rex field=_raw "(?ms)^(?:[^\"\n]\"){6}(?P\d+)(?:[^\"\n]\"){4}(?P[^\\]+)"""

then executed later.

0 Karma