Splunk Dev

Why the error in 'SearchParser': Mismatched ']' when using Splunk?

BongoNations
Explorer

Hi All, thanks for clicking on the question

This search works fine in Linux using grep, but I can't get it to work in Splunk. Please can you help..

I have imported a test.csv file that has many lines like the following

[ERROR] 2023/01/05 16:53:05 [!] Get "https://test.co.uk/sblogin/username": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

 

I am simply just to trying to extract the username field after sblogin/ and nothing else after the "

 

This is the query I have tried that gives the Error in 'SearchParser': Mismatched ']'

source="test.csv" | rex field=raw_line "sblogin/([^"]+)" | eval extracted_string=substr(extracted_string, 9)

 

Labels (1)
Tags (2)
0 Karma

BongoNations
Explorer

Thanks Rich I just tried that and got this error

Error in 'rex' command: The regex 'sblogin/([^\"]+)' does not extract anything. It should specify at least one named group. Format: (?<name>...)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

We're making progress.  All that remains is to do as the message says and put a name to the capture group.

source="test.csv" 
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)" 
| eval extracted_string=substr(extracted_string, 9)
---
If this reply helps you, Karma would be appreciated.

BongoNations
Explorer

Thanks I ran this query and it worked, but the output was basically everything, all text from the query lines. The usernames after sblogin/ were not specifically outputted on their own?

source="test.csv"
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

I was hope to just see all the usernames and nothing else?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

We continue to make progress.

The rex command merely extracts fields.  The extracted fields are added to the existing set of fields.  To control which fields are shown in the results, use the fields or table command.

source="test.csv"
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)"
| eval extracted_string=substr(extracted_string, 9)
| table extracted_string

BTW, the substr function is looking for the 9th character in extracted_string.  In the example data, extracted_string is "username", which doesn't have 9 characters so substr returns nothing.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Quotation marks must be triple-escaped in the rex command so they survive multiple layers of parsing.

 

source="test.csv" 
| rex field=raw_line "sblogin/([^\\\"]+)" 
| eval extracted_string=substr(extracted_string, 9)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

In this case - one backslash is enough 🙂 The quote is within a character class so it's treated literarily.

But in other cases it could indeed need more escaping. (and yes, escaping regexes can be a pain).

0 Karma

BongoNations
Explorer

Even with one backslash I get the same error

source="test.csv"
| rex field=raw_line "sblogin/([^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

Error in 'rex' command: The regex 'sblogin/([^\"]+)' does not extract anything. It should specify at least one named group. Format: (?<name>...)

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...