Splunk Search

Regex: syntax error in subpattern name (missing terminator)

edrivera3
Builder

Hi
I encountered the following error message :

Error Message:
Error in 'rex' command: Encountered the following error while compiling the regex '(?<failed_step>STEP:[&#92w&#92W\n]+?RETRIES:\s{3}\d+)': Regex: syntax error in subpattern name (missing terminator)

The extraction works correctly in the Search and Reporting App.

This my html page:
<script>
var deps = [
"splunkjs/ready!",
"splunkjs/mvc",
"splunkjs/mvc/utils",
"splunkjs/mvc/searchmanager",
"splunkjs/mvc/chartview",
"splunkjs/mvc/checkboxgroupview",
"splunkjs/mvc/checkboxview",
"splunkjs/mvc/dropdownview",
"splunkjs/mvc/eventsviewerview",
"splunkjs/mvc/multidropdownview",
"splunkjs/mvc/radiogroupview",
"splunkjs/mvc/searchbarview",
"splunkjs/mvc/searchcontrolsview",
"splunkjs/mvc/singleview",
"splunkjs/mvc/tableview",
"splunkjs/mvc/textinputview",
"splunkjs/mvc/timelineview",
"splunkjs/mvc/timerangeview",
"splunkjs/mvc/simplexml",
"splunkjs/mvc/splunkmapview",
"jquery",
"splunk_wftoolkit/components/bubblechart/bubblechart",
"splunk.config",
"underscore"
];
require(deps, function(mvc) {
// Load individual components
var SearchManager = require("splunkjs/mvc/searchmanager");
var TimelineView = require("splunkjs/mvc/timelineview");
var ChartView = require("splunkjs/mvc/chartview");
var CheckboxGroupView = require("splunkjs/mvc/checkboxgroupview");
var CheckboxView = require("splunkjs/mvc/checkboxview");
var DropdownView = require("splunkjs/mvc/dropdownview");
var EventsViewer = require("splunkjs/mvc/eventsviewerview");
var MultiDropdownView = require("splunkjs/mvc/multidropdownview");
var RadioGroupView = require("splunkjs/mvc/radiogroupview");
var SearchbarView = require("splunkjs/mvc/searchbarview");
var SearchControlsView = require("splunkjs/mvc/searchcontrolsview");
var SingleView = require("splunkjs/mvc/singleview");
var TableView = require("splunkjs/mvc/tableview");
var TextInputView = require("splunkjs/mvc/textinputview");
var TimeRangeView = require("splunkjs/mvc/timerangeview");
var BubbleView = require("splunk_wftoolkit/components/bubblechart/bubblechart");

// Table (Top Failed Steps in test containing this error)

var Top_FailStep = new SearchManager({
    id: "Top_FailStep",
    search: mvc.tokenSafe('index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \"(?&lt;failed_step&gt;STEP:[\\w\\W\\n]+?RETRIES:\\s{3}\\d+)\" '),
        cache: true,
        preview: true
});

var table_Top_FailStep = new TableView({
    id: "table_Top_FailStep",
    managerid: "Top_FailStep",
    el: $("#table_Top_FailStep")
}).render();

I appreciate your help.

0 Karma
1 Solution

edrivera3
Builder

First of all, thanks stephanefotso for trying to help.

I found the solution to my problem. Appears that when you are working with web framework you cannot use the HTML entity to add a < > symbols. The way around this is to simply escape < > symbols.

    search: mvc.tokenSafe('index=tirfile AND [search index=jobevent  earliest="-1y" latest="now" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step "(?\<failed_step\>STEP:[\\w\\W\\n]+RETRIES:\\s{3}\\d+)" max_match=0 '),

View solution in original post

0 Karma

edrivera3
Builder

First of all, thanks stephanefotso for trying to help.

I found the solution to my problem. Appears that when you are working with web framework you cannot use the HTML entity to add a < > symbols. The way around this is to simply escape < > symbols.

    search: mvc.tokenSafe('index=tirfile AND [search index=jobevent  earliest="-1y" latest="now" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step "(?\<failed_step\>STEP:[\\w\\W\\n]+RETRIES:\\s{3}\\d+)" max_match=0 '),
0 Karma

stephanefotso
Motivator

Hello
Escape double points STEP\: RETRIES\:in your regular expression, and let me know what happen.
Thanks

SGF
0 Karma

edrivera3
Builder

There was no change. I tried singular escape (\) and double escape (\\).

0 Karma

stephanefotso
Motivator

Try this

search: mvc.tokenSafe("index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \"(?&lt;failed_step&gt;STEP\:[\\w\\W\\n]+?RETRIES\:\\s{3}\\d+)\" ")   
SGF
0 Karma

edrivera3
Builder

There was no change.

0 Karma

stephanefotso
Motivator

Wao! ok now try this:

 search: mvc.tokenSafe("index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \"(?&lt;failed_step&gt;STEP\:[\w\W\n]+?RETRIES\:\s{3}\d+)\" ") 

or this

 search: mvc.tokenSafe('index=tirfile AND [search index=jobevent earliest=\"-1y\" latest=\"now\" error_num=$error_num$ test_num=$test_num$ | fields test_num,cart_num] | rex field=test_step \\"(?&lt;failed_step&gt;STEP\:[\\w\\W\\n]+?RETRIES\:\\s{3}\\d+)\\" ') 
SGF
0 Karma

edrivera3
Builder

There was no change. The app page didn't load with the second one. I am going to update my question to bring more information about my page.

0 Karma

stephanefotso
Motivator

Ok. also let me get your sample event where you are extracting failed_step

SGF
0 Karma

edrivera3
Builder

I cannot give you an example event because it is a large file. But I am extracting the fields correctly because I verified the regular expression in my Search and Reporting App and the table I want to have in my app.

The field "failed_step" is extracted from the field "test_step" and its values(test_step) look like this one.

STEP: 0902 RESULT: PASS ACTUAL: NO DATA READ RETRIES: 1

Basically what I am doing it's separating the steps that have failed from the general steps. Also the data format in the steps is unstructured and random. This is the reason why I am extracting everything with [\w\W\n].

I think the problem it is related with html. I really don't know anything about html and maybe there is some restriction that I am missing.

0 Karma

stephanefotso
Motivator

The problem is to well escape key words. It would be easier for me if I had one of your events, to make a test myself.
Thanks.

SGF
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...