Splunk Dev

Error in "SearchParser" mismatched ']'

eid1550
New Member

I am using the python splunk SDK to run a query, and this part of the query is giving me the above mismatched brackets error.

| rex field=_raw "(?ms)^(?:[^\"\\n]*\"){6}(?P<Error_code>\\d+)(?:[^\"\\n]*\"){4}(?P<Error_description>[^\\\\]+)"

It works when I put it in the actual splunk search, but when I run it through python its giving me that error. What could be the problem?

Labels (1)
0 Karma
1 Solution

jawaharas
Motivator

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"

View solution in original post

0 Karma

eid1550
New Member

I figured it out after A LOT of trial and error. the following is the "python version" I kept printing what python say and kept modyifying it so it looks like the string in splunk IDE

| rex field=_raw "(?ms)^(?:[^\\"\\n]\\"){6}(?P\\d+)(?:[^\\"\\n]\\"){4}(?P[^\\\\]+)"

thank you for your help and guiding me in the right direction

0 Karma

jawaharas
Motivator

You should escape all the special characters (like double quote) used in your variable string.

Try this:

query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"
0 Karma

eid1550
New Member

@jawaharas yeah it says the same thing "Error in search parser mis matched ']' its a nightmare.

0 Karma

jawaharas
Motivator

Glad, it worked out for you. Can you upvote and accept the answer if it's helped you? Thanks.

0 Karma

gaurav_maniar
Builder

Hi Eid,

You query regex works fine in Splunk web, but haven't checked with python.
As it is being used in python, the reason you are getting this error is most probably due to character escaping \\ at the end of your regex.

Try to play around character escapes at <Error_description>[^\\\\] and it will solve your problem.

0 Karma

eid1550
New Member

@gaurav_maniar Hi Gaurav! Yea that is part of it, but the issue also resides in the first half of the query for example the first half here "raw "(?ms)^(?:[^\"\n]*\"){6}(?P\d+)" also gives me the same error... what am i suppose to escape here?

0 Karma

jawaharas
Motivator

Can you share the Python snippet where you use the regex?

0 Karma

eid1550
New Member

@jawaharas Hi the python is just in a variable like this

query = """| rex field=_raw "(?ms)^(?:[^\"\n]\"){6}(?P\d+)(?:[^\"\n]\"){4}(?P[^\\]+)"""

then executed later.

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...