https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101885#M26315 <P><B>If you want it purely inline</B>, try:</P> <PRE><CODE>| rex field=_raw "\b(?&lt;exception_type&gt;(com|java|javax)\.[\w\.]+Exception)" </CODE></PRE> <P><I>(Match on either "com" or "java" or javax, followed by a dot, and then as many word characters or dots as you need until you finish with "Exception")</I></P> <P><B>If you'd rather not have to use it in the search string</B>, then:</P> <P>In transforms.conf:</P> <PRE><CODE>[exception-type] REGEX = \b((com|java|javax)\.[\w\.]+Exception)\b FORMAT = exception_type::$1 </CODE></PRE> <P>In props.conf:</P> <PRE><CODE>[yoursourcetype] REPORT-exceptions = exception-type </CODE></PRE> <P><B>Or, you can configure an eventtype for each exception type or group of exception types.</B></P> Thu, 09 Dec 2010 07:41:08 GMT southeringtonp 2010-12-09T07:41:08Z https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101884#M26314 <P>I have all types of Java Exceptions within my logs, that have no real form to them, except that they all start with "com." or "java." and end with exactly ".Exception". </P> <P>For example: </P> <PRE><CODE>java.lang.IllegalStateException java.lang.NullPointerException javax.servlet.ServletException com.ibm.blah.SomeException etc. </CODE></PRE> <P>How can I extract this in-line? </P> <P>Thanks, Sean </P> Thu, 09 Dec 2010 06:17:06 GMT https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101884#M26314 seanlon11 2010-12-09T06:17:06Z https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101885#M26315 <P><B>If you want it purely inline</B>, try:</P> <PRE><CODE>| rex field=_raw "\b(?&lt;exception_type&gt;(com|java|javax)\.[\w\.]+Exception)" </CODE></PRE> <P><I>(Match on either "com" or "java" or javax, followed by a dot, and then as many word characters or dots as you need until you finish with "Exception")</I></P> <P><B>If you'd rather not have to use it in the search string</B>, then:</P> <P>In transforms.conf:</P> <PRE><CODE>[exception-type] REGEX = \b((com|java|javax)\.[\w\.]+Exception)\b FORMAT = exception_type::$1 </CODE></PRE> <P>In props.conf:</P> <PRE><CODE>[yoursourcetype] REPORT-exceptions = exception-type </CODE></PRE> <P><B>Or, you can configure an eventtype for each exception type or group of exception types.</B></P> Thu, 09 Dec 2010 07:41:08 GMT https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101885#M26315 southeringtonp 2010-12-09T07:41:08Z https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101886#M26316 <P>How do I then reference these fields? I tried the following, but it did not work. </P> <P>eventtype="all_web" *Exception | rex field=_raw ".(?<EXCEPTION_TYPE>(com|java).[\w.]+Exception)" | stats count(exception_type) by host</EXCEPTION_TYPE></P> <P>Thanks for the help!</P> Mon, 28 Sep 2020 09:21:56 GMT https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101886#M26316 seanlon11 2020-09-28T09:21:56Z https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101887#M26317 <P>I think you have a simple typo. Taking part of your query:<BR /> ".(?<EXCEPTION_TYPE>(com|java).[\w.]+Exception)"<BR /> try this:<BR /> ".(&lt;?exception_type&gt;(com|java).[\w.]+Exception)"</EXCEPTION_TYPE></P> Thu, 16 Dec 2010 07:33:18 GMT https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101887#M26317 tedder 2010-12-16T07:33:18Z https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101888#M26318 <P>You're right that it was a typo, but the question mark was in the right place. The leading dot should have been a word breaker ('.' vs '\b'). Edited above to correct.</P> Thu, 16 Dec 2010 22:03:11 GMT https://community.splunk.com/t5/Splunk-Search/Group-Java-Exceptions-even-though-there-is-no-KV-pair/m-p/101888#M26318 southeringtonp 2010-12-16T22:03:11Z