Solved: Re: Error in "SearchParser" mismatched ']'

eid1550 · ‎01-12-2020

I am using the python splunk SDK to run a query, and this part of the query is giving me the above mismatched brackets error.

| rex field=_raw "(?ms)^(?:[^\"\\n]*\"){6}(?P<Error_code>\\d+)(?:[^\"\\n]*\"){4}(?P<Error_description>[^\\\\]+)"

It works when I put it in the actual splunk search, but when I run it through python its giving me that error. What could be the problem?

jawaharas · ‎01-13-2020

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"

View solution in original post

eid1550 · ‎01-14-2020

I figured it out after A LOT of trial and error. the following is the "python version" I kept printing what python say and kept modyifying it so it looks like the string in splunk IDE

| rex field=_raw "(?ms)^(?:[^\\"\\n]\\"){6}(?P\\d+)(?:[^\\"\\n]\\"){4}(?P[^\\\\]+)"

thank you for your help and guiding me in the right direction

jawaharas · ‎01-13-2020

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"

eid1550 · ‎01-14-2020

@jawaharas yeah it says the same thing "Error in search parser mis matched ']' its a nightmare.

jawaharas · ‎01-14-2020

Glad, it worked out for you. Can you upvote and accept the answer if it's helped you? Thanks.

gaurav_maniar · ‎01-13-2020

Hi Eid,

You query regex works fine in Splunk web, but haven't checked with python.
As it is being used in python, the reason you are getting this error is most probably due to character escaping \\ at the end of your regex.

Try to play around character escapes at <Error_description>[^\\\\] and it will solve your problem.

eid1550 · ‎01-13-2020

@gaurav_maniar Hi Gaurav! Yea that is part of it, but the issue also resides in the first half of the query for example the first half here "raw "(?ms)^(?:[^\"\n]*\"){6}(?P\d+)" also gives me the same error... what am i suppose to escape here?

jawaharas · ‎01-12-2020

Can you share the Python snippet where you use the regex?

eid1550 · ‎01-13-2020

@jawaharas Hi the python is just in a variable like this

query = """| rex field=_raw "(?ms)^(?:[^\"\n]\"){6}(?P\d+)(?:[^\"\n]\"){4}(?P[^\\]+)"""

then executed later.

Error in "SearchParser" mismatched ']'

Python

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation