https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554861#M702 <P>Thank you a lot</P> Tue, 08 Jun 2021 09:09:54 GMT agamnarendra 2021-06-08T09:09:54Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554825#M696 <P>I need to findout errorcodes from logs and segregate them. Below log file is one of example logs.</P><P>&nbsp;</P><P><SPAN class="t">2021-06-08T05:42:29.141140</SPAN><SPAN>+</SPAN><SPAN class="t">00:00</SPAN> <SPAN class="t">DEBUG</SPAN> <SPAN class="t">html5client-v3</SPAN><SPAN>[</SPAN><SPAN class="t">19206</SPAN><SPAN>]</SPAN><SPAN class="t">:</SPAN><SPAN> [</SPAN><SPAN class="t">xid@1192</SPAN> <SPAN class="t">xid=S2TF6U5T</SPAN><SPAN>--</SPAN><SPAN class="t">7</SPAN> <SPAN class="t">cid=Arris-110_20F19EB3C050</SPAN> <SPAN class="t">did=</SPAN> <SPAN class="t">sid=5kCrKTc-K-4</SPAN> <SPAN class="t">hid=</SPAN><SPAN>"</SPAN><SPAN class="t">19206</SPAN><SPAN>"] </SPAN><SPAN class="t">CONSOLE:0</SPAN><SPAN> (</SPAN><SPAN class="t">null</SPAN><SPAN>) </SPAN><SPAN class="t">-</SPAN> <SPAN class="t">06-08-2021</SPAN> <SPAN class="t">05:42:29.141</SPAN> <SPAN class="t">DEBUG</SPAN><SPAN> (</SPAN><SPAN class="t">SGUI.VENONA_ANALYTICS</SPAN><SPAN>){"</SPAN><SPAN class="t">action</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">error</SPAN><SPAN>","</SPAN><SPAN class="t">data</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>{"</SPAN><SPAN class="t">category</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">error</SPAN><SPAN>","</SPAN><SPAN class="t">triggeredBy</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">application</SPAN><SPAN>","</SPAN><SPAN class="t">errorCode</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">GEN-1016</SPAN><SPAN>","</SPAN><SPAN class="t a"><SPAN class="t">errorType</SPAN></SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">application</SPAN><SPAN>","</SPAN><SPAN class="t">errorMessage</SPAN><SPAN>"</SPAN><SPAN class="t">:</SPAN><SPAN>"</SPAN><SPAN class="t">We</SPAN><SPAN>'</SPAN><SPAN class="t">re</SPAN> <SPAN class="t">sorry</SPAN><SPAN>, </SPAN><SPAN class="t">we</SPAN><SPAN>'</SPAN><SPAN class="t">re</SPAN> <SPAN class="t">unable</SPAN> <SPAN class="t">to</SPAN> <SPAN class="t">load</SPAN> <SPAN class="t">your</SPAN> <SPAN class="t">subscription</SPAN> <SPAN class="t">info.</SPAN> <SPAN class="t">Please</SPAN> <SPAN class="t">try</SPAN> <SPAN class="t">again</SPAN> <SPAN class="t">later.</SPAN> <SPAN class="t">\nReference</SPAN> <SPAN class="t">Code:</SPAN><SPAN>&amp;</SPAN><SPAN class="t">nbsp</SPAN><SPAN>;&amp;</SPAN><SPAN class="t">nbsp</SPAN><SPAN>;</SPAN><SPAN class="t">GEN-1016</SPAN><SPAN>","</SPAN><SPAN class="t">success</SPAN><SPAN>"</SPAN><SPAN class="t">:false</SPAN><SPAN>,</SPAN></P> Tue, 08 Jun 2021 06:18:19 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554825#M696 agamnarendra 2021-06-08T06:18:19Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554835#M697 <LI-CODE lang="markup">| rex "\"errorCode\":\"(?&lt;errorCode&gt;[^\"]+)"</LI-CODE> Tue, 08 Jun 2021 06:54:33 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554835#M697 ITWhisperer 2021-06-08T06:54:33Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554839#M698 <P>index=platform sourcetype=cloudtvapp NOT (host="*dev*")<BR />| rex "\"errorCode\":\"(?&lt;errorCode&gt;[^\"]+)"<BR />| table errorCode cid<BR /><BR /></P><P>Thank you for quick response&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>Its not printing the errorCode with respective cid value. Search and filter is happened but not printed with above search. Any inputs?</P> Tue, 08 Jun 2021 07:08:48 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554839#M698 agamnarendra 2021-06-08T07:08:48Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554842#M699 <P>Is cid being extracted automatically or do you need to extract as part of your search?</P> Tue, 08 Jun 2021 07:24:43 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554842#M699 ITWhisperer 2021-06-08T07:24:43Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554849#M700 <P>Below search was helped to get the desired out put. but need to errorType filter in "rex". Can you guide me<BR /><BR />index=platform sourcetype=cloudtvapp NOT (host="*dev*" OR host="*zod*")<BR />| rex "\"errorCode\":\"(?&lt;errorCode&gt;[^\"]+)"<BR />| search errorCode="*"<BR />| stats count(errorCode) by errorCode host</P><P>&nbsp;</P><P>cid was added automatically . But need to "errorType" and "errorMessage" with respective&nbsp; filter in "rex". Can you guide me<BR /><BR />Basically i need to add more than one field search in "rex"</P> Tue, 08 Jun 2021 08:06:34 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554849#M700 agamnarendra 2021-06-08T08:06:34Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554852#M701 <LI-CODE lang="markup">index=platform sourcetype=cloudtvapp NOT (host="*dev*" OR host="*zod*") | rex "\"errorCode\":\"(?&lt;errorCode&gt;[^\"]+)\",\"errorType\":\"(?&lt;errorType&gt;[^\"]+)\",\"errorMessage\":\"(?&lt;errorMessage&gt;[^\"]+)" | search errorCode="*" | stats count values(errorType) as errorType values(errorMessage) as errorMessage by errorCode host</LI-CODE> Tue, 08 Jun 2021 08:15:05 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554852#M701 ITWhisperer 2021-06-08T08:15:05Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554861#M702 <P>Thank you a lot</P> Tue, 08 Jun 2021 09:09:54 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Search-string-and-evaluate-the-string/m-p/554861#M702 agamnarendra 2021-06-08T09:09:54Z