This is a very vague question. I have received a query from a partner who has observed Splunk erroring out complaining about a "missing parenthetical" when indexing web proxy logs. I am unable to get a sample of the proxy data being indexed or a screenshot since this is part of a security investigation. A search of "missing parenthetical" on splunk.com turns up zero results. I am hoping someone out there has encountered this error or can review the source code and explain the conditions under which this error might occur.
I have heard this error can occur from a front-end error when attempting to upload certain data, via the "upload a file" interface in the web manager. The solution to that problem was to manually add the file via CLI, or monitor the directory of the file (if possible).
I have heard this error can occur from a front-end error when attempting to upload certain data, via the "upload a file" interface in the web manager. The solution to that problem was to manually add the file via CLI, or monitor the directory of the file (if possible).
And I suspect that in this game of telephone, the actual original messages complained about a missing parenthesis, not parenthetical. I would imagine if it appears in search, the location of the problem would be obvious. The likely other place would be a misconfigured regular expression in either search-time or index-time extraction regexes.
This error occurs where? In the splunkd.log, the web UI, what? On the one hand, you say it happens when indexing, but on the other hand you take about getting a screenshot rather than the log file with the error in it.
