Solved: Regex is correct but splunk throws error

amunag439 · ‎08-14-2019

For the following log, I would like to filter by a string. I would have to extract the string using regex.

traceId=xyz msg=Patch for deviceId with body {"parameters":[{"value":"{\"code\":\"ABC_DEF_SEND_MACBOOKS\",\"commands\.....}
traceId=xyz msg=Patch for deviceId with body {"parameters":[{"value":"{\"code\":\"ABC_DEF_OPEN_MACBOOKS\",\"commands\.....}

My Splunk query is as follows.
host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex "code\\"\:\\"(?<codes>.{20})" | where codes=ABC_DEF_SEND_MACBOOKS

But splunk throws the below error related to regex
Error in 'rex' command: Encountered the following error while compiling the regex 'code\\:\(?<codes>.{20})': Regex: unmatched closing parenthesis

When I checked the regex in regex101.com, the output for codes is as expected.
What is wrong with the parenthesis in this case?

Sukisen1981 · ‎08-14-2019

try this:

    host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" |  rex field=_raw "code\\\+\":+\\\+\"(?<codes>.*?)\\\+" | where codes="ABC_DEF_SEND_MACBOOKS"

in your where condition you also need to have your string within quotes like above

View solution in original post

Sukisen1981 · ‎08-14-2019

try this:

    host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" |  rex field=_raw "code\\\+\":+\\\+\"(?<codes>.*?)\\\+" | where codes="ABC_DEF_SEND_MACBOOKS"

in your where condition you also need to have your string within quotes like above

koshyk · ‎08-14-2019

my guess is reason of failure is due to you not escaping double quotes "

Try something like..

host=* sourcetype="*" source="example.log" "msg=Patch for deviceId*" | rex "code\\\"\:\\\"(?<codes>.{20})"

cheers

Regex is correct but splunk throws error

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases