Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

curl / python api fails on regex - scripted input

9738078959
Engager
‎08-28-2019 01:45 AM

When i run this in curl
curl index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text
it gives me an error, however if i remove the rex part, it works.
In python

import requests
data1 = {
  'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
  'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))

    f.write(response.text)

I get same issue - error if i use rex
I am on windows, how to run this through curl/.bat file or a python script?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-28-2019 09:29 AM

this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?

    import requests
    data1 = {
      'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
      'output_mode': 'json'
    }
    response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
    with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
        result.write(response.text)

Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try

View solution in original post

Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-28-2019 09:29 AM

this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?

    import requests
    data1 = {
      'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
      'output_mode': 'json'
    }
    response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
    with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
        result.write(response.text)

Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try

Reply
Solved! Jump to solution

9738078959
Engager
‎08-29-2019 04:31 AM

hi the windows encoding utf8 is working as of now..i will check curl later

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...
Top