- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- curl / python api fails on regex - scripted input
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When i run this in curl
curl index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text
it gives me an error, however if i remove the rex part, it works.
In python
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
f.write(response.text)
I get same issue - error if i use rex
I am on windows, how to run this through curl/.bat file or a python script?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
result.write(response.text)
Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is very similar to the issue I faced here - https://answers.splunk.com/answers/744391/rex-expression-does-not-work-in-curl.html
in python its basically a windows UTF issue,can you append this code before you write your response, something like this?
import requests
data1 = {
'search': 'search index=text|rex field=_raw "ApplicationRegistry-(?.*)" max_match=0 |table source,sourcetype,text',
'output_mode': 'json'
}
response = requests.post('https://10.199.90.50:8089/servicesNS/admin/search/search/jobs/export', data=data1, verify=False, auth=('admin', 'admin'))
with open ('<youroutputfile>.json', 'w', encoding="utf-8") as result:
result.write(response.text)
Your rexes have got corrupted while pasting, I assume it works for you though.
NOTE - I am on windows10 and the OS version (earlier windows) might affect , but give this a try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi the windows encoding utf8 is working as of now..i will check curl later
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
