Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- curl / python api fails on regex - scripted input
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When i run this in curl
curl index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text
it gives me an error, however if i remove the rex part, it works.
In python
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
f.write(response.text)
I get same issue - error if i use rex
I am on windows, how to run this through curl/.bat file or a python script?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
result.write(response.text)
Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
result.write(response.text)
Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi the windows encoding utf8 is working as of now..i will check curl later
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
