Splunk Search

Regex is correct but splunk throws error

amunag439
Explorer

For the following log, I would like to filter by a string. I would have to extract the string using regex.

traceId=xyz msg=Patch for deviceId with body {"parameters":[{"value":"{\"code\":\"ABC_DEF_SEND_MACBOOKS\",\"commands\.....}
traceId=xyz msg=Patch for deviceId with body {"parameters":[{"value":"{\"code\":\"ABC_DEF_OPEN_MACBOOKS\",\"commands\.....}

My Splunk query is as follows.
host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex "code\\"\:\\"(?<codes>.{20})" | where codes=ABC_DEF_SEND_MACBOOKS

But splunk throws the below error related to regex
Error in 'rex' command: Encountered the following error while compiling the regex 'code\\:\(?<codes>.{20})': Regex: unmatched closing parenthesis

When I checked the regex in regex101.com, the output for codes is as expected.
What is wrong with the parenthesis in this case?

0 Karma
1 Solution

Sukisen1981
Champion

try this:

    host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" |  rex field=_raw "code\\\+\":+\\\+\"(?<codes>.*?)\\\+" | where codes="ABC_DEF_SEND_MACBOOKS"

in your where condition you also need to have your string within quotes like above

View solution in original post

Sukisen1981
Champion

try this:

    host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" |  rex field=_raw "code\\\+\":+\\\+\"(?<codes>.*?)\\\+" | where codes="ABC_DEF_SEND_MACBOOKS"

in your where condition you also need to have your string within quotes like above

koshyk
Super Champion

my guess is reason of failure is due to you not escaping double quotes "

Try something like..

host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex "code\\\"\:\\\"(?<codes>.{20})" 

cheers

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...