Re: Rest API quote escape

zubairaizatron · ‎01-30-2022

Hi guys

I'm trying to run a search to the /jobs endpoint. however I get a

bash: syntax error near unexpected token `('

error message.

my search has quotes in it for a | rex command and I tried escaping the quotes with the \ but is till seem to get the issue. when using the \ I get a

<msg type="ERROR">Unparsable URI-encoded request data</msg>

error.

My search is structured as follows:

| tstats summariesonly=1 values(<values>) ....(there are a lot of these) from datamodel=<name> WHERE (some values for the previous section) | lookup <lookup> | rex field=<name> "(?<new field name>[^.]{9}$)" ...

there are about 4 lookups in total and 2 rex command. however when i try to escape in the rex command I get the Unparsebale URI error.

Anybody come across this error before?

johnhuang · ‎01-30-2022

Parenthesis are special characters in bash. You can escape with \

| rex field=<name> "$?<new field name>[^.]{9}$$" ...

Or encapsulate the entire SPL with single quote '

richgalloway · ‎01-30-2022

The "bash:" portion of the error message indicates this is a shell problem rather than a Splunk problem. It would help to see the complete CLI command, but I suspect you just need to put quotation marks around the entire search command (and escape quotation marks within it).

---
If this reply helps you, Karma would be appreciated.

Rest API quote escape

lookup

rex

tstats

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?