topic Re: Splunk rex field in Splunk Enterprise

Splunk rex field

DougiieDee — Mon, 07 Jun 2021 20:26:47 GMT

How do i extract this message in splunk rex field to display error code and message in reports like ABC_Code and Message?
"exception":"java.util.concurrent.ExecutionException: ABC_1000:We're sorry, it looks like an error occurred while getting information"

Re: Splunk rex field

ITWhisperer — Mon, 07 Jun 2021 20:38:20 GMT

| eval parts=split(field,":") | eval message=mvindex(parts,2)

Re: Splunk rex field

DougiieDee — Mon, 07 Jun 2021 20:49:03 GMT

this doesnt work, could you please give another solutions?

Re: Splunk rex field

ITWhisperer — Mon, 07 Jun 2021 20:56:10 GMT

Sorry that should have been

| eval parts=split(field,":") | eval message=mvindex(parts,3)

If this doesn't work, can you provide more complete example event (anonymised) and details of what fields you already have extracted to help us find a better solution

Re: Splunk rex field

DougiieDee — Mon, 07 Jun 2021 21:14:45 GMT

index=abc
"exception":"java.util.concurrent.ExecutionException"

searching above displays like these in below events

"exception":"java.util.concurrent.ExecutionException: ABC_1000:We're sorry, it looks like an error occurred while getting information"

"exception":"java.util.concurrent.ExecutionException: ABC-2000:We're sorry, it looks like an error occurred while getting information"

I want to take the ABC_ OR ABC- error codes and have a report based on that which should look like this

ABC Codes	message	counts
ABC_1000	We're sorry, it looks like an error occurred while getting information	3
ABC-2000	We're sorry, it looks like an error occurred while getting information	5

Re: Splunk rex field

ITWhisperer — Mon, 07 Jun 2021 21:20:20 GMT

Is this part of a JSON event - can you extract "exception" and work with that field?

Re: Splunk rex field

ITWhisperer — Mon, 07 Jun 2021 21:23:57 GMT

| rex field=fieldX "(?<ABCcode>ABC(_|-)\d+):(?<message>.*?)"

Re: Splunk rex field

DougiieDee — Tue, 08 Jun 2021 14:18:15 GMT

didnt work with this rex query

Re: Splunk rex field

ITWhisperer — Wed, 09 Jun 2021 16:24:31 GMT

Perhaps this will work?

| rex field=fieldX "(?<ABCcode>ABC(_|\-)\d+):(?<message>.*?)"

Re: Splunk rex field

mikeyty07 — Wed, 09 Jun 2021 16:25:51 GMT

this is same as the above didnt work

Re: Splunk rex field

ITWhisperer — Wed, 09 Jun 2021 16:30:01 GMT

Rather than me guessing what your events actually look like and what your current search looks like with respect to fields already extracted, perhaps you can provide some more detail?

Re: Splunk rex field

DougiieDee — Wed, 09 Jun 2021 16:48:46 GMT

2021-06-09 15:00:37.640 ThreadCompletableFuture : {"logType":"STANDARD","message":"Exception occurred executing task","context":{"configLabel":"abc-session-4.0-372","threadContextId":"2e63fe-83f"},"exception":"java.util.concurrent.ExecutionException: CommonApplicationException: ABC_2004:We're sorry, it looks like an error occurred while retrieving information

2021-06-09 15:00:37.640 ThreadCompletableFuture : {"logType":"STANDARD","message":"Exception occurred executing task","context":{"configLabel":"abc-session-4.0-372","threadContextId":"2e63fe-83f"},"exception":"java.util.concurrent.ExecutionException: CommonApplicationException: ABC-2014:We're sorry, it looks like an error occurred while retrieving information

it looks sth like this and i want the abc code and message

Re: Splunk rex field

ITWhisperer — Wed, 09 Jun 2021 16:54:39 GMT

| rex "(?<errorCode>ABC(_|\-)\d+):(?<errorMessage>.*)"

Re: Splunk rex field

DougiieDee — Wed, 09 Jun 2021 16:56:55 GMT

this also didnt work

Re: Splunk rex field

ITWhisperer — Wed, 09 Jun 2021 17:12:34 GMT

This runanywhere example shows it working.

| makeresults | eval _raw="2021-06-09 15:00:37.640 ThreadCompletableFuture : {\"logType\":\"STANDARD\",\"message\":\"Exception occurred executing task\",\"context\":{\"configLabel\":\"abc-session-4.0-372\",\"threadContextId\":\"2e63fe-83f\"},\"exception\":\"java.util.concurrent.ExecutionException: CommonApplicationException: ABC_2004:We're sorry, it looks like an error occurred while retrieving information 2021-06-09 15:00:37.640 ThreadCompletableFuture : {\"logType\":\"STANDARD\",\"message\":\"Exception occurred executing task\",\"context\":{\"configLabel\":\"abc-session-4.0-372\",\"threadContextId\":\"2e63fe-83f\"},\"exception\":\"java.util.concurrent.ExecutionException: CommonApplicationException: ABC-2014:We're sorry, it looks like an error occurred while retrieving information" | multikv noheader=t | table _raw | rex "(?<errorCode>ABC(_|\-)\d+):(?<errorMessage>.*)"

Re: Splunk rex field

DougiieDee — Wed, 09 Jun 2021 18:07:30 GMT

It didnt work only shows two events no codes and message

Re: Splunk rex field

rupkumar4sec — Wed, 09 Jun 2021 18:35:58 GMT

Try below regular expression

|rex field=_raw "Exception\:\s(?=ABC)(?<ABC_CODE>[^\:]+)\:(?<Message>[^\"]+)"

Assuming your message ends with double quotes(")

Re: Splunk rex field

DougiieDee — Wed, 09 Jun 2021 18:54:06 GMT

didnt work for this as well shows all the logs

Re: Splunk rex field

rupkumar4sec — Wed, 09 Jun 2021 19:36:05 GMT

Yeah it is just a rex command so it will show raw events. If you want a table like you asked in one of your comments use below search

index=abc "exception":"java.util.concurrent.ExecutionException"
| rex field=_raw "Exception\:\s(?=ABC)(?<ABC_CODE>[^\:]+)\:(?<Message>[^\"]+)"
| stats count by  ABC_CODE, Message

Re: Splunk rex field

DougiieDee — Wed, 09 Jun 2021 19:46:03 GMT

this looks good but is there a way to minimize message to limited text instead of whole events error?