Splunk Search

Regex throwing Mismatch Mismatched ']' in search

Manoshanni
New Member

I am a beginner for Regex and Splunk. I am trying to use regular expression generated during field extraction in online search because I have different sourcetypes. While using the regex i am getting Mismatched ']'. error.

rex "^[^[\n][(?P[^ ]+)[^"\n]"\w+(?P\s+/\w+)"

Tags (1)
0 Karma

ololdach
Builder

Hi,
try this: | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/(?<app>\w+)/"`
HiH
Oliver

0 Karma

Manoshanni
New Member

Thank you. But its not matching the pattern

0 Karma

ololdach
Builder

How so? It is on my side of the screen 🙂
| makeresults | eval _raw="[15/May/2020:03:51:10 -0400] \"GET /ironpc/services/restapi...." | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/(?<app>\w+)/"
Maybe the event data is not in the _raw field? What part is not matching?

0 Karma

Manoshanni
New Member

Time field is extracting as expected. App field is returning values as PC,JP

0 Karma

ololdach
Builder

Hi Manoshanni, I solved you initial question, telling you why the error occurred. I gave you a regex that works like a charm on the data that you have provided and your comment PC, JP makes no sense to me. If you would like to ignore the "iron" and just return the "pc", "jp" ... you should have only had those in bold. | rex field=_raw "^\[(?<time>[^\]]+)\][^/]*/iron(?<app>\w+)/"

0 Karma

ololdach
Builder

Hi,
all brackets () [] {} always have to come in pairs. They all have special meanings in regex and must be closed. The "Mismatch" error tells you that you have a bracket that is missing its counterpart. It's hard to tell exactly what you need, because you've not included the data sample and the result you'd like to get, but I assume that you want something like this:
rex "^[[^\n][(?<fieldnameA)[^ ]+)[^\"\n]\"\w+(?<fieldnameB>\s+/\w+)"
Note the two \" that differ from your regex. Since the " closes your regex string prematurely (giving you a bracket error), they need to be escaped by \" if you want to search your data for a " character. Also, you might want to include fieldnames in your regex.
Hope it helps
Oliver

Manoshanni
New Member

I am trying to extract data from web server logs.

Below are the sample logs, I am trying to extract the timestamp and the application the call is hitting. Doing this for primarily getting the web traffic

[15/May/2020:03:51:10 -0400] "GET /ironpc/services/restapi....
[15/May/2020:03:50:10 -0400] "GET /ironjp/rest/userdata...

0 Karma

PavelP
Motivator

@Manoshanni

if this one of the major web servers than there is an add-on for it, which does the parsing of all/most fields for you:

https://splunkbase.splunk.com/app/3186/ Apache / httpd

https://splunkbase.splunk.com/app/3258/ nginx

etc

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Please edit the example regex above and make it be code text formatted by using the 101010 formatting button to make it so that all your characters are visible. It's likely that the* characters can be guessed, but there could be other characters that are missing.

0 Karma

PavelP
Motivator

Hello @Manoshanni

this regex is not correct, you can test it here: https://regex101.com/

Post few raw events here so somebody can help you to build a correct regex. Regexes created using field extraction tool are usually not very practical.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...