topic Re: Extract error message from java error logs in Splunk Search

How to extract error message from java error logs?

mail2uharishp — Wed, 21 Dec 2022 04:51:38 GMT

Hi All,

Could you please help in extracting the error log from java error log.

I would like to see the result in a table format
Code | Message
1234 | due to system error

Error log is as below

message: Exception Occurred ::org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"code":"1234","reason":"due to system error.","type":"ValidationException"}]
at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:303)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:384)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:325)
......

I have tried few extractions from splunk searches, however nothing were fruitful.

Re: Extract error message from java error logs

yuanliu — Wed, 21 Dec 2022 02:45:05 GMT

| rex mode=sed "s/Bad Request: */Bad_Request=/" ``` extract JSON array ``` | kv | spath input=Bad_Request path={} | mvexpand {} ``` in case there are multiple elements in JSON array ``` | spath input={} | fields code reason

Hope this helps

Re: Extract error message from java error logs

mail2uharishp — Wed, 21 Dec 2022 03:01:56 GMT

No @yuanliu , it is still returning a blank data for me

I have added table to your query only, apart from providing index my query looks like below

index = myindex "searchfields" | rex mode=sed "s/Bad Request: */Bad_Request=/" ``` extract JSON array ``` | kv | spath input=Bad_Request path={} | mvexpand {} ``` in case there are multiple elements in JSON array ``` | spath input={} | fields code reason |table code reason

Re: Extract error message from java error logs

mail2uharishp — Wed, 21 Dec 2022 03:24:02 GMT

No @yuanliu

I am seeing entire error message as is if i exactly use your query and if I add table field then null values are being returned

Re: Extract error message from java error logs

yuanliu — Wed, 21 Dec 2022 05:08:00 GMT

This may mean that your data isn't exactly like you illustrated. Let's diagnose step by step. (table command will not do anything special if you already see blank.) Please post result from the following (anonymize as needed):

| search "Bad Request:" ``` only bad requests of interest ``` | rex mode=sed "s/Bad Request:\s*/Bad_Request=/" ``` extract JSON array ``` | kv | table Bad_Request

Emulated output

The following is the emulation I use, and the result I get from your sample data:

| makeresults | fields - _time | eval _raw = "message: Exception Occurred ::org.springframework.web.client.HttpClientErrorException: 400 Bad Request: [{\"code\":\"1234\",\"reason\":\"due to system error.\",\"type\":\"ValidationException\"}] at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:303) at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:384) at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:325) ......" ``` data emulation above ``` | rex mode=sed "s/Bad Request: */Bad_Request=/" ``` extract JSON array ``` | kv | table Bad_Request _raw

The output is

Bad_Request

_raw

[{"code":"1234","reason":"due to system error.","type":"ValidationException"}]

message: Exception Occurred ::org.springframework.web.client.HttpClientErrorException: 400 Bad_Request=[{"code":"1234","reason":"due to system error.","type":"ValidationException"}] at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:303) at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:384) at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:325) ......

Do you get similar output?