Splunk Dev

Why the error in 'SearchParser': Mismatched ']' when using Splunk?

BongoNations
Explorer

Hi All, thanks for clicking on the question

This search works fine in Linux using grep, but I can't get it to work in Splunk. Please can you help..

I have imported a test.csv file that has many lines like the following

[ERROR] 2023/01/05 16:53:05 [!] Get "https://test.co.uk/sblogin/username": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

 

I am simply just to trying to extract the username field after sblogin/ and nothing else after the "

 

This is the query I have tried that gives the Error in 'SearchParser': Mismatched ']'

source="test.csv" | rex field=raw_line "sblogin/([^"]+)" | eval extracted_string=substr(extracted_string, 9)

 

Labels (1)
Tags (2)
0 Karma

BongoNations
Explorer

Thanks Rich I just tried that and got this error

Error in 'rex' command: The regex 'sblogin/([^\"]+)' does not extract anything. It should specify at least one named group. Format: (?<name>...)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

We're making progress.  All that remains is to do as the message says and put a name to the capture group.

source="test.csv" 
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)" 
| eval extracted_string=substr(extracted_string, 9)
---
If this reply helps you, Karma would be appreciated.

BongoNations
Explorer

Thanks I ran this query and it worked, but the output was basically everything, all text from the query lines. The usernames after sblogin/ were not specifically outputted on their own?

source="test.csv"
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

I was hope to just see all the usernames and nothing else?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

We continue to make progress.

The rex command merely extracts fields.  The extracted fields are added to the existing set of fields.  To control which fields are shown in the results, use the fields or table command.

source="test.csv"
| rex field=raw_line "sblogin/(?<extracted_string>[^\"]+)"
| eval extracted_string=substr(extracted_string, 9)
| table extracted_string

BTW, the substr function is looking for the 9th character in extracted_string.  In the example data, extracted_string is "username", which doesn't have 9 characters so substr returns nothing.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Quotation marks must be triple-escaped in the rex command so they survive multiple layers of parsing.

 

source="test.csv" 
| rex field=raw_line "sblogin/([^\\\"]+)" 
| eval extracted_string=substr(extracted_string, 9)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

In this case - one backslash is enough 🙂 The quote is within a character class so it's treated literarily.

But in other cases it could indeed need more escaping. (and yes, escaping regexes can be a pain).

0 Karma

BongoNations
Explorer

Even with one backslash I get the same error

source="test.csv"
| rex field=raw_line "sblogin/([^\"]+)"
| eval extracted_string=substr(extracted_string, 9)

Error in 'rex' command: The regex 'sblogin/([^\"]+)' does not extract anything. It should specify at least one named group. Format: (?<name>...)

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...