topic Re: Logs between "string1" and "string2" in Splunk Search

Logs between "string1" and "string2"

VS0909 — Fri, 03 Sep 2021 15:27:47 GMT

I have to find logs between "string1" and "string2" in Splunk for index=abc. Then I need to verify if there is any "Error" or "Severe" word displayed in those logs.

Can someone please help with the Splunk query?

Re: Logs between "string1" and "string2"

shivanshu1593 — Fri, 03 Sep 2021 15:35:03 GMT

Hello @VS0909 ,

Could you share some sample data and desired output as to what you're expecting. We can help to build the query.

Thank you,

Re: Logs between "string1" and "string2"

gcusello — Sat, 04 Sep 2021 09:14:55 GMT

Hi @VS0909,

as @shivanshu1593 said, we could be more precise having a sample of your logs, anyway, the regex to extract a field between two strings it's easy:

| rex "string1(?<your_field>.*)string2"

beware when you write the strings because regexes are case sensitive.

Ciao.

Giuseppe

Re: Logs between "string1" and "string2"

VS0909 — Mon, 06 Sep 2021 06:02:25 GMT

@gcusello @shivanshu1593

Please find the below sample.

I want to extract the logs between "Abc fgh, app continuing" and "started in". If there are "ERROR" or "SEVERE" keywords in the extracted logs, then I want to print that "ERROR" or "SEVERE" line.

2021-08-31 02:03:52,081 INFO [stdout] jkwqdwqjdk
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83) Abc fgh, app continuing
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)

2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)kwqskqw
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)
2021-08-31 02:03:52,081 INFO [org.kjskj.akjs] (ServerService Thread Pool -- 11) WFLYUT0021: Registered web context: '/dyn' for server 'default-server'
2021-08-31 02:03:52,081 ERROR [org.kjskj.akjs] "There is an error"
2021-08-31 02:03:52,081 SEVERE [org.kjskj.akjs] There is Severe
2021-08-31 02:03:55,166 INFO [org.jboss.as] (Controller Boot Thread) WAAAAAA0033: JBoss EAP 1.1.9.GA (abcfegc Core 2.0.10.Final-call-00000) started in 169999ms - Started 2222 of 2222 services (311 services are lazy, passive or on-demand)
2021-08-31 02:03:55,169 INFO [org.jboss.as] (aa nnnThread) WAAAAAA0033: Http interface listening on http://111.11.11.11:8080/aaa
2021-08-31 02:03:55,169 INFO [org.nnn.as] (ioio llkl Thread) WAAAAAA0033: console listening on http://111.11.11.11:8080/aaa

Appreciate your help.

Re: Logs between "string1" and "string2"

gcusello — Mon, 06 Sep 2021 07:15:45 GMT

Hi @VS0909,

viewing you logs, it's a different situation: you don't need a regex to extract a field, you need to correlate many events!

Anyway, try something like this:

index=your_index | transaction startswith="Abc fgh, app continuing" endswith="started in" | rex "(?<error_level>ERROR|SEVERE)" | table _time error_level

Ciao.

Giuseppe

Re: Logs between "string1" and "string2"

VS0909 — Mon, 06 Sep 2021 08:05:57 GMT

@gcusello Thanks for the reply

I also want to print the line in the extracted Error or SEVERE line.

Can you pls help with that.

Re: Logs between "string1" and "string2"

gcusello — Mon, 06 Sep 2021 08:13:38 GMT

Hi @VS0909,

ok, please try this:

index=your_index | transaction startswith="Abc fgh, app continuing" endswith="started in" | rex "^(?<event>\d+-\d+-\d+\s+\d+:\d+:\d+,\d+\s(ERROR|SEVERE).*)" | table _time event

you can test the regex at https://regex101.com/r/oid94M/1

If you want also the error level and the timestamp of the single event, you can use another regex to extract them.

Ciao.

Giuseppe