3

New to splunk.

This query Runs perfectly fine via the UI:

index=serverlogs* WEB_URL=/someurl/* | rex ".*\?(?<GETQUERY>[^ ]+)" | search GETQUERY=*.jpg | top 20 REFERER

I'm trying to apply this to the REST API as such and every rex fails and sends back: Error in 'SearchParser': Missing a search command before '^'

It always sends back whatever special character is in the brackets []. Is there a way to use "rex" over the API using brackets in my regex? or to be able to use regex to extract a field on the fly?

Here's my query:

curl -k https://myhost:8089/servicesNS/-/search/search/jobs/export -u user:passwd -d search="search index%3Dserverlogs* WEB_URL%3D/someurl/* | rex \".*\%3F(%3F<GETQUERY>[^ ]+)\" | search GETQUERY%3D*.jpg | top 20 REFERER" -d earliest_time="-10m" -d latest_time="now" -d output_mode="csv" > output.csv

Any suggestions?

DAhmed312
  • 41
  • 1
  • 3

2 Answers2

3

You have to escape your square brackets in rex (though not normally).

rex ".*\?(?<GETQUERY>\[^ \]+)"
Andrew Cheong
  • 29,362
  • 15
  • 90
  • 145
  • That worked to stop the errors, but the query returns no hits, when the same query returns the expected 20 values via the GUI. The raw data is the same in both feeds. Any idea why this is? – DAhmed312 Nov 21 '13 at 15:27
  • Instead of `curl`, try `echo` first, and see how your backslashes are being interpreted. I'm willing to bet that you're not sending what you think you're sending. I don't know what shell you're using (if any at all), but for example, what if `*` is globbing?—why are you escaping the double quotes surrounding `rex`'s argument, when you don't do so in the UI?—and are you sure it should be `\%3F`, not `\\%3F` or `%5C%3F`? Find a way to see the raw request being sent. – Andrew Cheong Nov 21 '13 at 15:42
  • Thank you for the input, it put me on the right direction. After escaping the brackets, it still was returning zero hits. I started with a regex of ".*" to match everything and was able to return hits at least, although not what i was trying to extract. – DAhmed312 Nov 25 '13 at 21:36
  • After going in circles for a while, i found that for some reason, i couldn't use brackets at all in the regular expression. I substituted "[^ ]+" or "one or more characters that is not a space" with "\S+" which is pretty much an equivalent, and field now extracts correctly. I have to escape the double quotes, since the parameter values through curl -d require double quotes, therefore if i want to pass them in the parameter literally, they need to be escaped. – DAhmed312 Nov 25 '13 at 21:42
  • @user3010793 - Nice! I'm glad you finally figured it out. You should post your solution as an answer to your own question. – Andrew Cheong Nov 25 '13 at 21:43
2

I had the same problem after copying a query from an external source before editing. The quotation marks around my regular expression were the wrong character. Once I switched both of them to ", everything worked fine.

Nick Freeman
  • 1,411
  • 1
  • 12
  • 25