topic Re: Splunk Regex help in Splunk Search

Splunk Regex help

viksvig — Thu, 11 Nov 2021 21:31:49 GMT

Hi, I have the search returning the event

Nov 10 23:45:3 8888888 Tra[9100]: { EventName: "Error Occurred", BatchId: 095cehcx-87ee-43f6-9663-c2fb833677a978, CorrelationId: 5fghja26b9-fe73-78cb-342b-5123f2ec167896, Payload: BusinessLogicException { Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.", Data: [], InnerException: null, TargetSite: Void Validate(uya.QueryModels.Lead), StackTrace: " at uyu.Models.Lead.Validate(Lead queriedLead)

How do i extract only the content on the Message

Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.:"

Re: Splunk Regex help

richgalloway — Fri, 12 Nov 2021 18:22:11 GMT

It would help to know what you've tried so far.

See if this regex helps

| rex "(?<Message>Message: \\\"[^\\\"]+\\\")"

If you only need the message itself, then try this

| rex "Message: \\\"(?<Message>\\\"[^\\\"]+)"

Re: Splunk Regex help

viksvig — Fri, 12 Nov 2021 16:00:40 GMT

@richgalloway

Getting an error for the 1st search

| rex "(?<Message>Message: \\\"[^\\\\"]+\\\")"

Error in 'SearchParser': Missing a search command before '^'. Error at position '81' of search query 'search index=cloud EventName: "Error Occurred" | ...{snipped} {errorcontext = Message>"[^\\\\"]+)"}'.

Getting error for

| rex "Message: \\\"(?<Message>"[^\\\\"]+)"

Mismatched ']'.

Re: Splunk Regex help

richgalloway — Fri, 12 Nov 2021 18:22:36 GMT

Sorry about that. I had the wrong number of escape characters. Please try my revised answer.

Re: Splunk Regex help

manishchoudhary — Fri, 12 Nov 2021 18:47:20 GMT

Hello @viksvig ,

Please use the below regex value in order to extract the message field at search time. Also, in order to extract the message field for all the logs put this regex value in Setting --> Field extraction
.*?Message:\s+"(?P<message>.*?)"

Kindly let me know if it works fine in your environment

Re: Splunk Regex help

bhargavi — Sat, 13 Nov 2021 10:13:13 GMT

Hello,

Please try the below regex.

|rex field=_raw "\sMessage\:(?P<Message>.*)\,\s\Data"

Re: Splunk Regex help

viksvig — Tue, 23 Nov 2021 16:39:37 GMT

It works in the search , but when it sends it as email alert, it only has the dates and the messagews are empty

Re: Splunk Regex help

viksvig — Tue, 23 Nov 2021 16:40:20 GMT

It works in the search , but when it sends it as email alert, it only has the dates and the message field is empty

Re: Splunk Regex help

viksvig — Mon, 29 Nov 2021 19:31:02 GMT

@richgalloway @manishchoudhary @bhargavi any idea why

I have splunk search - index=cloud EventName: "Error Occurred" XChangeToSalesForce | rename message as "Message" _time as Time | table Time,Message

When i search on splunk search, i get the below response

1637759064 Multiple Terms found for the same agency. Agency code:

But when the email is sent, i get nothing on the message field . It is set as inline

Time	Message
1637759064