Solved: Re: Mismatch '[' error in field extraction using r...

Manonmani5 · ‎04-18-2018

I am a new splunk user and apologies for this dump question. I tried to extract a field with the fort "servername:portnumber"

( ex: sd45j478889:23684) using field extractor.

I got the below regular expression in field extractor.

^(?:[^"\n]*"){8}\s+(?P[^ ]+)

This didn't worked for all the events because of different sourcetypes. So I tried to use this regex in my search. When I used this in my search I am getting "Mismatch '[' " error. Below is the query I used.

index= xyz | rex "^(?:[^"\n]*"){8}\s+(?P[^ ]+)"|table Port

I couldn't find what is wrong with the expression. can someone please help

kthammireddygar · ‎04-18-2018

Can you please provide the whole event.

View solution in original post

niketn · ‎04-18-2018

@Manonmani5 while posting sample event or code, please use the code button (101010 or CTRL+K) on Splunk Answers to ensure that special characters in your code or sample data does not get escaped. Alternatively you can add four spaces before each line of your code and make sure there is an enter before the first line of code.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

kthammireddygar · ‎04-18-2018

Can you please provide the whole event.

Manonmani5 · ‎04-19-2018

[19/Apr/2018:07:44:36 -0400] "GET /tyywuenndri/css/select2.png HTTP/1.1" 200 613 "https://eps.nyuehrnf.com/ajeunx/css/select2.css" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "3373" "ij10k222:25898"

kthammireddygar · ‎04-19-2018

Try this :

index=abc sourcetype=xyz | rex "\"(?P<Servername>\w+)\:(?P<Portnumber>\d+)\""

Manonmani5 · ‎04-23-2018

Thanks.. This worked for me

Manonmani5 · ‎04-23-2018

May I know what was the problem with the below regex.

^(?:[^"\n]*"){8}\s+(?P[^ ]+)

This expression I got when I extracted the field using 'Field Extractor'

p_gurav · ‎04-18-2018

Can you try :

| rex field= _raw "(?P<servername>[^\:]+):(?P<portnumber>+)"

p_gurav · ‎04-18-2018

Also one question servername:portnumber is always same the way you specified in example. Is it field or you are extracting from raw event. Can you provide whole event?

Manonmani5 · ‎04-18-2018

Yes.. The format is same... But the server name and port number will be different based on servers. While executing the above regex I am getting error as "The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...). "

p_gurav · ‎04-18-2018

I already made a group called servername and portnumber above? My mistake, remove space:

| rex field=_raw "(?P<servername>[^\:]+):(?P<portnumber>+)"

Manonmani5 · ‎04-19-2018

This is the error I am getting."Error in 'rex' command: Encountered the following error while compiling the regex '(?P[^:]+):(?P+)': Regex: nothing to repeat"
Sample Event:
[19/Apr/2018:07:44:36 -0400] "GET /tyywuenndri/css/select2.png HTTP/1.1" 200 613 "https://eps.nyuehrnf.com/ajeunx/css/select2.css" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "3373" "ij10k222:25898"

Manonmani5 · ‎04-18-2018

Thanks. It didn't worked. For the second one 'I got error as 'Error in 'rex' command: Encountered the following error while compiling the regex '(?P[^:]+):(?P+)': Regex: nothing to repeat'.

And for the first I got error like 'Error in 'SearchParser': Missing a search command before '^'. Error at position '64' of search query 'search index= spider_prod | rex "^(?:[^\"\n]*"){8...{snipped} {errorcontext = (?P[^ ]+)"}'.'

Below is the search condition I used for the first one.

index= xyz | rex "^(?:[^\"\n]*"){8}\s+(?P[^ ]+)"

Sukisen1981 · ‎04-18-2018

can you give a sample of your raw event?

Manonmani5 · ‎04-19-2018

30.130.51.1 eps.vincetryu.com - [19/Apr/2018:07:44:36 -0400] "GET /tyywuenndri/css/select2.png HTTP/1.1" 200 613 "https://eps.nyuehrnf.com/ajeunx/css/select2.css" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" "3373" "ij10k222:25898"

Manonmani5 · ‎04-19-2018

Above is the sample event . I have to extract "ij10k222.25898" from the event

p_gurav · ‎04-18-2018

Can you try:

| rex "^(?:[^\"\n]*"){8}\s+(?P[^ ]+)"

Also try :

| rex "(?P<servername>[^\:]+):(?P<portnumber>+)"

Mismatch '[' error in field extraction using regular expression

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation