- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- curl / python api fails on regex - scripted input
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When i run this in curl
curl index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text
it gives me an error, however if i remove the rex part, it works.
In python
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
f.write(response.text)
I get same issue - error if i use rex
I am on windows, how to run this through curl/.bat file or a python script?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
result.write(response.text)
Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
result.write(response.text)
Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi the windows encoding utf8 is working as of now..i will check curl later
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
