topic Re: Pick up the first occurrence of a word in Splunk Search

Pick up the first occurrence of a word

jw44250 — Tue, 02 May 2017 15:17:47 GMT

I want to pick only the first occurrence of word .

index = index1 ERROR

Event Result

2017-04-29T18:29:27.246+0000
message test error
testError
requestURl="home/testError"

But I am only interested the word Error, I thought i could with case insenstive search but it is not correct options or != operators this is may too dangerous might lose some other events

Re: Pick up the first occurrence of a word

niketn — Tue, 02 May 2017 15:24:40 GMT

Do you intend to perform case sensitive search? You can add the following to your base search CASE("*Error")

https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases

Re: Pick up the first occurrence of a word

DalJeanis — Tue, 02 May 2017 15:42:52 GMT

updated 8:00 PM CDT (Central US Daylight Savings TIme)

This should select the first line that has the word "error" in any case, anywhere in the line in it.

index = index1 "ERROR"
| rex field=_raw "(?im)^(?<theline>.*error.*)$"
| table _time theline

Re: Pick up the first occurrence of a word

jw44250 — Tue, 02 May 2017 16:30:56 GMT

hi,

it didnt work , getting error
Error in 'SearchOperator:regex': Usage: regex (=|!=)

and ERROR is not a field

Re: Pick up the first occurrence of a word

jw44250 — Tue, 02 May 2017 16:45:55 GMT

Sample Event Result 1:
2017-04-15T19:19:51.669+0000 ERROR
unknown error..........................
ERROR
....................................requestURI="url/test.error"
.............something happened error

I am interested only the very first appearance of the Error in the row data

Not sure if it correct : getting actual result but it selects every error sample Event Result 1
index= index1 ERROR | regex _raw="\bERROR\b"

Re: Pick up the first occurrence of a word

jw44250 — Tue, 02 May 2017 17:06:29 GMT

not really,

I am interested only in the first occurance of the word error and error is not a field.

Re: Pick up the first occurrence of a word

jw44250 — Tue, 02 May 2017 17:06:44 GMT

it would be helpful int the future

Re: Pick up the first occurrence of a word

somesoni2 — Tue, 02 May 2017 18:29:46 GMT

If the location of word ERROR (I'm assuming it's the one that appears after the timestamp) is the filter criteria, try like this

index=index1 ERROR | regex _raw="^\S+\s+ERROR.+"

Re: Pick up the first occurrence of a word

DalJeanis — Tue, 02 May 2017 19:14:12 GMT

corrected grammar, try again.

Re: Pick up the first occurrence of a word

DalJeanis — Tue, 02 May 2017 19:18:03 GMT

I think you've got what he means.

Re: Pick up the first occurrence of a word

jw44250 — Tue, 02 May 2017 20:21:32 GMT

it works Thanks, but i'm interested only the first occurrence for the word error but not the rest

Log Sample

Line 1 --> 2017-04-29T18:29:27.246+0000
Line 2 -- >message test error
Line 3 --> testError
Line 4 -->requestURl="home/testError"

Only want Line 2 Error which is the first appears of "ERROR"

I used this command and it work but still i can see it select all error of the same event

index = index1 "ERROR"
| regex _raw="\bError\b"

Re: Pick up the first occurrence of a word

somesoni2 — Tue, 02 May 2017 20:28:27 GMT

So do you've multiline events (field linecount>1)? If yes, then is there any rule that 'only select the events which has error word in line 2' or something similar? What should happen if instead of line 2 line 3 has word error?

Re: Pick up the first occurrence of a word

jw44250 — Tue, 02 May 2017 21:32:14 GMT

As soon as i see the error i want to stop, it doensn't matter it is in line 1,2 03, etc. it can any where the event.

Re: Pick up the first occurrence of a word

somesoni2 — Tue, 02 May 2017 22:21:57 GMT

What you want to do after you picked that first Error word? You want to extract any field value around it?

Re: Pick up the first occurrence of a word

jw44250 — Wed, 03 May 2017 00:29:14 GMT

I dont want to extract to any field, but im interested the whole _raw data

Re: Pick up the first occurrence of a word

danielsofoulis — Wed, 03 May 2017 04:38:53 GMT

Try this

index=index1 | rex field=requestURl \w+\/test(?<error>Error) | fields error