Splunk Enterprise

Why does my search return an error "Regex: missing closing parenthesis" when the regular expression is valid?

With the following search:

index=digitalguardian | transaction Computer_Name | rex  (?<=\\)(?<SiteCode>.{3})(?=-)

I get the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '(?<=)(?.{3})(?=-)': Regex: missing closing parenthesis

Testing the regex in a Regex tester (specifically regex101.com) the regex tests as valid, and properly matches the intended characters. Further, examining the expression there seems to be a proper number of parenthesis (opening and closing) both in the expression and error message.

Why is Splunk handling this regular expression in this manner?

Labels (1)
0 Karma

Splunk Employee
Splunk Employee

@CaninChristellCOP - Did the answer provided by acharlieh help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

Influencer

I am admittedly curious about the use of positive lookahead and behind, as opposed to just matching the slash and dash characters outright as it seems like this would add steps to your regex matching, but in any case....

This might be worth a filing a bug on your support contract, as it does seem fairly odd (I tried things out on both Splunk 6.3.8 and 6.5.2)

I think you want | rex "\\\(?<SiteCode>.{3})-" No it doesn't pass regex101's checker, but I think Splunk may be reading the argument to rex as a string, so backslash escaping is happening with the simple reading of the string so then too few slashes are present when it then goes to parse the regex. It seems to work fine with 3 or 4 backslashes... Try these run anywhere queries:

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  (?<=\\\)(?<SiteCode>.{3})(?=-)

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  \\\(?<SiteCode>.{3})-

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  "\\\(?<SiteCode>.{3})-"

| makeresults | eval _raw="FOO BAR\BIG-banananananana" | rex  "\\\\(?<SiteCode>.{3})-"

Offtopic... regarding your search, I think transaction should preserve values from extracted fields, so you should be able to invert your rex and transaction command, which if you're in a distributed environment would mean your rex would be distributed to your indexers instead of having to run on your search head after the transaction command occurs.

Explorer

I have similar error. My following search in splunkUI works fine

index="appIndex" host="somehost" | fields TransUID | rex field=_raw "^[^[\n][(?P[^]]+)"| transaction TransUID

But when I use the same query in javascript (SplunkJS) in my webapp I get following error.

Error in 'rex' command: Encountered the following error while compiling the regex '^[^[ ]*[(?P[^]]+)': Regex: unmatched closing parenthesis

0 Karma

Explorer

Thanks acharlieh.
It's working after I changed it to *\[(?P[^]]+)".

index="appIndex" host="somehost" | rex field=_raw "^[^[\n]\[(?P[^]]+)" | transaction TransUID

0 Karma

Upon further review, it appears that Splunk is choking on the escaped backslash, and interpreting it as escaping the parenthesis mark. As one might expect, removing the first backslash to not escape the backslash also produces the same error.

Motivator

some sample data would help ful?

0 Karma

As in for the Computer_Name field? It doesn't even attempt to run the regex, it just dies on compiling the regex. The problem isn't that it's not matching the Regex, it's that it dies before it even attempts to match the Regex.

0 Karma