topic Re: How to do newline splitting for a single event in Splunk Search

How to do newline splitting for a single event

sumitnagal — Thu, 13 Sep 2012 00:58:47 GMT

Hi,
I want to identified the exception caused by my API to the external API. here is example, I am looking for below output

14 Jun 2012 07:38:55,280 [ABCD] ERROR my.classname (46) - The exception value: An error occurred while processing the request on the server: System.Runtime.Remoting.RemotingException: Server is busy. Try request again later.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:188)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy207.retrieveDeploymentById(Unknown Source)
at com.test.abc.my(classname:46)

I am looking for below output

14 Jun 2012 07:38:55  my.class 46  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException System.Runtime.Remoting.RemotingException

I am trying below query, but not sure how can do line breaking after getting value.

search | rex "(?i)^(?P<DATEFIELD>[^,]+),\\d+\\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+)\(\d+\)\\s-\\s(?P<FIELDNAME2>[^-]+)" | rex "(?i)\tat (?P<FIELDNAME3>[^\(]+)"

Thanks,
Sumit

Re: How to do newline splitting for a single event

jonuwz — Thu, 13 Sep 2012 10:09:26 GMT

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException

Re: How to do newline splitting for a single event

sumitnagal — Mon, 07 Oct 2013 09:48:05 GMT

This is very close to what I am looking, but I can't use FIELDNAME as it may have few lines or may have too many lines. I have to parse all the lines, please suggest how do I get specific liie , com.test.abc.my from the list of stack trace.

Re: How to do newline splitting for a single event

johnnyzebra — Mon, 07 Jul 2014 23:16:00 GMT

Thanks!
This helped me resolve an issue where a rex I used in my search would not work when I did it as a field extraction. (grabbing everything up to the end of the line) It seems as if the field extraction was applying the si, so my \n wouldn't work.

Re: How to do newline splitting for a single event

wjblazek — Tue, 28 Oct 2014 23:23:52 GMT

Yes Thanks!

The "[\r\n]" was the key I needed to search across line breaks:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?si)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Also (?m) seems to work like (?si) to tell rex to work across multiple lines:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?m)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Is there any significant difference between (?m) and (?si) ?

Is this documented anywhere?

Re: How to do newline splitting for a single event

jonuwz — Fri, 31 Oct 2014 23:33:58 GMT

pcre modifiers - http://php.net/manual/en/reference.pcre.pattern.modifiers.php