topic extract string to a field in Splunk Search

extract string to a field

navd — Sun, 17 Jun 2018 20:33:56 GMT

I have some strings appearing in the events , i want to extract them ,it doesnt have any keyvalue pair
sample event :-
6/15/18
4:53:00.123 PM 420420 1529074380797 2018-06-15 14:53:00.797 10.224.34 - - - - prod abc.services ffffffffdcfb607e-186-16403ef6ffd000 ERROR ERROR - - - - com.data.driver.core.exceptions.NouserAvailableException: All user(s) tried for query failed

so from the above event I would want to extract "com.data.driver.core.exceptions.NouserAvailableException"

Re: extract string to a field

Ayn — Sun, 17 Jun 2018 21:53:34 GMT

What other data around it can you rely on to stay the same? Are the dashes before your text static for instance? Did you try the interactive field extractor?

Re: extract string to a field

lloydknight — Sun, 17 Jun 2018 23:01:52 GMT

Hello @navd

You may refer to this link to access the field extractor,
Or you can extract fields using regex. See link.

Also, if the provided sample event is in uniform with the succeeding events, try this query:

your base search | rex "\ERROR ERROR - - - - (?<Exception>.*)\:"

Hope it helps!

Re: extract string to a field

vinod94 — Mon, 18 Jun 2018 09:12:10 GMT

if the events are of the same type, you can try this...

| makeresults 
| eval data="6/15/18
4:53:00.123 PM 420420 1529074380797 2018-06-15 14:53:00.797 10.224.34 - - - - prod abc.services ffffffffdcfb607e-186-16403ef6ffd000 ERROR ERROR - - - - com.data.driver.core.exceptions.NouserAvailableException: All user(s) tried for query failed" 
| rename data as _raw 
| rex field=_raw "ERROR\s\-\s\-\s\-\s\-(?P<field_name>[^\:]+)"