Regex throwing Mismatch Mismatched ']' in search

Manoshanni · ‎05-15-2020

I am a beginner for Regex and Splunk. I am trying to use regular expression generated during field extraction in online search because I have different sourcetypes. While using the regex i am getting Mismatched ']'. error.

rex "^[^[\n][(?P[^ ]+)[^"\n]"\w+(?P\s+/\w+)"

ololdach · ‎05-15-2020

Hi,
try this: | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/(?<app>\w+)/"`
HiH
Oliver

Manoshanni · ‎05-15-2020

Thank you. But its not matching the pattern

ololdach · ‎05-15-2020

How so? It is on my side of the screen 🙂
| makeresults | eval _raw="[15/May/2020:03:51:10 -0400] \"GET /ironpc/services/restapi...." | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/(?<app>\w+)/"
Maybe the event data is not in the _raw field? What part is not matching?

Manoshanni · ‎05-15-2020

Time field is extracting as expected. App field is returning values as PC,JP

ololdach · ‎05-18-2020

Hi Manoshanni, I solved you initial question, telling you why the error occurred. I gave you a regex that works like a charm on the data that you have provided and your comment PC, JP makes no sense to me. If you would like to ignore the "iron" and just return the "pc", "jp" ... you should have only had those in bold. | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/iron(?<app>\w+)/"

ololdach · ‎05-15-2020

Hi,
all brackets () [] {} always have to come in pairs. They all have special meanings in regex and must be closed. The "Mismatch" error tells you that you have a bracket that is missing its counterpart. It's hard to tell exactly what you need, because you've not included the data sample and the result you'd like to get, but I assume that you want something like this:
rex "^[[^\n][(?<fieldnameA)[^ ]+)[^\"\n]\"\w+(?<fieldnameB>\s+/\w+)"
Note the two \" that differ from your regex. Since the " closes your regex string prematurely (giving you a bracket error), they need to be escaped by \" if you want to search your data for a " character. Also, you might want to include fieldnames in your regex.
Hope it helps
Oliver

Manoshanni · ‎05-15-2020

I am trying to extract data from web server logs.

Below are the sample logs, I am trying to extract the timestamp and the application the call is hitting. Doing this for primarily getting the web traffic

[15/May/2020:03:51:10 -0400] "GET /ironpc/services/restapi....
[15/May/2020:03:50:10 -0400] "GET /ironjp/rest/userdata...

PavelP · ‎05-15-2020

@Manoshanni

if this one of the major web servers than there is an add-on for it, which does the parsing of all/most fields for you:

https://splunkbase.splunk.com/app/3186/ Apache / httpd

https://splunkbase.splunk.com/app/3258/ nginx

etc

cpetterborg · ‎05-15-2020

Please edit the example regex above and make it be code text formatted by using the 101010 formatting button to make it so that all your characters are visible. It's likely that the* characters can be guessed, but there could be other characters that are missing.

PavelP · ‎05-15-2020

Hello @Manoshanni

this regex is not correct, you can test it here: https://regex101.com/

Post few raw events here so somebody can help you to build a correct regex. Regexes created using field extraction tool are usually not very practical.

Regex throwing Mismatch Mismatched ']' in search

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...