I am using the python splunk SDK to run a query, and this part of the query is giving me the above mismatched brackets error.
| rex field=_raw "(?ms)^(?:[^\"\\n]*\"){6}(?P<Error_code>\\d+)(?:[^\"\\n]*\"){4}(?P<Error_description>[^\\\\]+)"
It works when I put it in the actual splunk search, but when I run it through python its giving me that error. What could be the problem?
You should escape all the special characters (like double quote) used in your variable string.
Try this:
query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"
I figured it out after A LOT of trial and error. the following is the "python version" I kept printing what python say and kept modyifying it so it looks like the string in splunk IDE
| rex field=_raw "(?ms)^(?:[^\\"\\n]\\"){6}(?P\\d+)(?:[^\\"\\n]\\"){4}(?P[^\\\\]+)"
thank you for your help and guiding me in the right direction
You should escape all the special characters (like double quote) used in your variable string.
Try this:
query = "| rex field=_raw \"(?ms)^(?:[^\"\\n]\"){6}(?P\\d+)(?:[^\"\\n]\"){4}(?P[^\\\]+)"
@jawaharas yeah it says the same thing "Error in search parser mis matched ']' its a nightmare.
Glad, it worked out for you. Can you upvote and accept the answer if it's helped you? Thanks.
Hi Eid,
You query regex works fine in Splunk web, but haven't checked with python.
As it is being used in python, the reason you are getting this error is most probably due to character escaping \\
at the end of your regex.
Try to play around character escapes at <Error_description>[^\\\\]
and it will solve your problem.
@gaurav_maniar Hi Gaurav! Yea that is part of it, but the issue also resides in the first half of the query for example the first half here "raw "(?ms)^(?:[^\"\n]*\"){6}(?P\d+)" also gives me the same error... what am i suppose to escape here?
Can you share the Python snippet where you use the regex?
@jawaharas Hi the python is just in a variable like this
query = """| rex field=_raw "(?ms)^(?:[^\"\n]\"){6}(?P\d+)(?:[^\"\n]\"){4}(?P[^\\]+)"""
then executed later.