topic Re: How to extract fields from my sample data and include these results in an email alert? in Splunk Search

How to extract fields from my sample data and include these results in an email alert?

krishananth — Tue, 07 Apr 2015 16:12:32 GMT

Hello,

I'm evaluating splunk to capture data for raising data alerts, raising technical alerts etc.
Most of data generated is using Log4J2. I'm able to forward data from an Linux machine to a receiver (in windows PC).
I'm able to view real-time search. Now I need to filter the data based on regex or any expression and link it to email Alerts.
I tried using fields, but it seems complex to extract data from my search results.
Below is sample data:

2015-04-07 17:05:09,019 ERROR o.m.e.DefaultMessagingExceptionStrategy [[SplunkErrorProducer-vv3].SplunkErrorProducerFlow.stage1.02] 
********************************************************************************
Message               : Component that caused exception is: DefaultJavaComponent{SplunkErrorProducerFlow.component.207509504}. Message payload is of type: String
Code                  : MULE_ERROR--2
--------------------------------------------------------------------------------
Exception stack is:
1. payload contents =
Printing: 
CommonProductResult #0 {..... 250 lines more ...}
*********************************************************************************

My questions are:
1) How do I extract data beginning from "payload contents" to the "********" line (around 250 lines - which are not fixed).
2) Even if I define a field, how can the field data be part of the email body for an alert?

Could you help me on this? Is field object necessary or any other way to extract data based on specific pattern and link it to email Alerts?

Thank you,

Ananth

Re: How to extract fields from my sample data and include these results in an email alert?

esix_splunk — Wed, 08 Apr 2015 01:37:20 GMT

For the regex, you can first test with in an inline REX using multiline capture:

[search] | rex field=_raw "(?s)payload contents = (?<myfield>[^\*]+)\n\*+"

May need to adjust that a bit, I dont have time right now to run that through a regex validator.. Once that fields extracted, you can reference the field in alerts.. One way is to add the ... | table _time myfield ... to the end of your savedsearch..

Re: How to extract fields from my sample data and include these results in an email alert?

krishananth — Wed, 08 Apr 2015 11:05:29 GMT

Hi,

I'm using the following search query to pick the payload contents.

sourcetype=MY_DEV source="/my_esb/logs/splunkerrorproducer.log" ERROR | rex field=_raw "(?s)payload contents =(?<my_field>[^\*]+)\n\*+"

However when I view the alert, it contains all additional information and it is due to the ERROR in the query. If I remove ERROR, the search returns no results.

I think there is some problem with regex in the search. The above search works without ?< my_field > in an online regex tool.
Is there anything missing to use regex and fields?

Ananth

Re: How to extract fields from my sample data and include these results in an email alert?

krishananth — Fri, 10 Apr 2015 15:40:26 GMT

Hi Esix_splunk,

I was bit unclear on the pipe symbol (assuming it as OR). Now, I'm able to extract exception message based on regex pattern, refer it to a field, create an alert with 2 columns (_time and my field). This looks better now.

Thanks for your answer.

Ananth