Re: Why does my search return an error "Regex: mis...

CaninChristellC · ‎02-16-2017

With the following search:

index=digitalguardian | transaction Computer_Name | rex  (?<=\\)(?<SiteCode>.{3})(?=-)

I get the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<=)(?.{3})(?=-)': Regex: missing closing parenthesis

Testing the regex in a Regex tester (specifically regex101.com) the regex tests as valid, and properly matches the intended characters. Further, examining the expression there seems to be a proper number of parenthesis (opening and closing) both in the expression and error message.

Why is Splunk handling this regular expression in this manner?

aaraneta_splunk · ‎03-19-2017

@CaninChristellCOP - Did the answer provided by acharlieh help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

acharlieh · ‎02-16-2017

I am admittedly curious about the use of positive lookahead and behind, as opposed to just matching the slash and dash characters outright as it seems like this would add steps to your regex matching, but in any case....

This might be worth a filing a bug on your support contract, as it does seem fairly odd (I tried things out on both Splunk 6.3.8 and 6.5.2)

I think you want | rex "\\\(?<SiteCode>.{3})-" No it doesn't pass regex101's checker, but I think Splunk may be reading the argument to rex as a string, so backslash escaping is happening with the simple reading of the string so then too few slashes are present when it then goes to parse the regex. It seems to work fine with 3 or 4 backslashes... Try these run anywhere queries:

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  (?<=\\\)(?<SiteCode>.{3})(?=-)

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  \\\(?<SiteCode>.{3})-

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  "\\\(?<SiteCode>.{3})-"

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  "\\\\(?<SiteCode>.{3})-"

Offtopic... regarding your search, I think transaction should preserve values from extracted fields, so you should be able to invert your rex and transaction command, which if you're in a distributed environment would mean your rex would be distributed to your indexers instead of having to run on your search head after the transaction command occurs.

AshChakor · ‎04-24-2019

I have similar error. My following search in splunkUI works fine

index="appIndex*" host="somehost" | fields TransUID | rex field=_raw "^[^[\n]*[(?P[^]]+)"| transaction TransUID

But when I use the same query in javascript (SplunkJS) in my webapp I get following error.

Error in 'rex' command: Encountered the following error while compiling the regex '^[^[ ]*[(?P[^]]+)': Regex: unmatched closing parenthesis

AshChakor · ‎04-24-2019

Thanks acharlieh.
It's working after I changed it to *\[(?P[^]]+)".

index="appIndex*" host="somehost" | rex field=_raw "^[^[\n]*\[(?P[^]]+)" | transaction TransUID

CaninChristellC · ‎02-16-2017

Upon further review, it appears that Splunk is choking on the escaped backslash, and interpreting it as escaping the parenthesis mark. As one might expect, removing the first backslash to not escape the backslash also produces the same error.

vasanthmss · ‎02-16-2017

some sample data would help ful?

V

CaninChristellC · ‎02-16-2017

As in for the Computer_Name field? It doesn't even attempt to run the regex, it just dies on compiling the regex. The problem isn't that it's not matching the Regex, it's that it dies before it even attempts to match the Regex.

Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

other

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk