topic Re: Exception matching in Splunk Search

Exception matching

prad18 — Mon, 28 Sep 2020 15:18:11 GMT

Hi
i'm currently using following regex to match different types of exception.

(?i:[^.]+.)*(?P[a-zA-Z]+Exception)

sample log

06 Sep 2013 18:59:59,924 [WebContainer : 4] ERROR - Remote Exception while updating CSA Details

java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.RemoteException: ; nested exception is:
org.springframework.jdbc.UncategorizedSQLException: CallableStatementCallb
``ack; uncategorized SQLException for SQL [{call
PX_CO_AC_AGREEMENT_MASTER_PG.spt_update(?, ?, ?, ?, ?, ?)}]; SQL state [72000]; error code

[20002]; ORA-20002: Record has been modified since last retrieved - Resubmit transaction for

parameter(s) p_acag_agreement_id_in values of which are => 1463755

ORA-06512: at "ACCOUNT_OWNER.PX_CO_AC_AGREEMENT_MASTER_PG", line 91

ORA-06510: PL/SQL: unhandled user-defined exception

ORA-06512: at line 1

; nested exception is java.sql.SQLException: ORA-20002: Record has been modified since last

retrieved - Resubmit transaction for parameter(s) p_acag_agreement_id_in values of which are

=> 1463755
ORA-06512: at "ACCOUNT_OWNER.PX_CO_AC_AGREEMENT_MASTER_PG", line 91

ORA-06510: PL/SQL: unhandled user-defined exception

ORA-06512: at line 1

the regex is matching SQLException(Bold) but i need match UncategorizedSQLException(Bold) once from the above log entry.

i tried like even like this (?i:[^.]+.)*(?P[a-zA-Z]+Exception|UncategorizedSQLException)but it was not successfull.

Any help on this.

Re: Exception matching

MuS — Mon, 18 Nov 2013 12:56:33 GMT

Hi prad18

quick one would be like this:

 (?<test>(\sSQL|(\w+\.){3}\w+SQL)+Exception)

this matches org.springframework.jdbc.UncategorizedSQLException and SQLException
You can test your regex by using this nice online regex tester

hope this helps ...

cheers, MuS

Re: Exception matching

prad18 — Tue, 19 Nov 2013 06:09:45 GMT

It is matching only org.springframework.jdbc.UncategorizedSQLException, SQLException these

But actually I need to match following
An Error has occured for com.marsh.csa.exception.NoClientInfoFound:-->NoClientInfoFound
handleException():com.marsh.framework.core.exception.MarshException:-->MarshException
Found Exception, class:java.lang.NullPointerException-->NullPointerException
org.springframework.dao.DataAccessResourceFailureException-->DataAccessResourceFailureException
org.springframework.jdbc.UncategorizedSQLException-->UncategorizedSQLException

Just last words not entire package name.

Re: Exception matching

MuS — Wed, 20 Nov 2013 09:07:22 GMT

well that was what you requested in first place 😉
To match the last word in any of the above provided errors you could use something like this:

((\w+\.){2,6})(?<test>\w+\b)

cheers

Re: Exception matching

laserval — Wed, 20 Nov 2013 12:54:37 GMT

As suggested in @MuS answer, try the different values in a regex tester (you could also use the built-in one in Splunk Web).

I think you need to consider some other things, though:

What are you going to use this for? In your example log, you are extracting two values from the same log event. One is the actual exception name and one is part of the exception message (... ack; uncategorized SQLException for SQL ...). Additionally, the values are not the first exceptions mentioned in the event.
Do you only want actual exceptions? In that case, consider that some exceptions might not be called Exception. You might need to detect exceptions based on position, or by filtering your results to only events that should mention exceptions.
Some exceptions might have the same class names, but different fully-qualified names (e.g. com.foo.framework.net.http.NotFoundException and org.bar.gofish.hand.NotFoundException). If you're doing statistics based on these extractions, that could give you bad results.

Re: Exception matching

prad18 — Mon, 25 Nov 2013 05:22:02 GMT

Hi MuS,
((w+.){2,6})(?w+b) is not matching any of the above error's last word. 😞

Re: Exception matching

prad18 — Mon, 25 Nov 2013 05:29:53 GMT

hi laserval,
I need to extract one exception from each event and show the count in the form of chat.
The above example log is one event in which initially I extracted java.rmi.ServerException-> "Server exception" but now I've to match org.springframework.jdbc.UncategorizedSQLException -> "UncategorizedSQLException" instead of Server exception.

Yeah last point is valid one there could be different fully-qualified names. Any suggestion on how to tackle this problem.

Re: Exception matching

MuS — Mon, 25 Nov 2013 09:52:59 GMT

Hi sure it does, you must include \ like this
((\w+\.){2,6})(?<test>\w+\b)
it will create new fields called test

Re: Exception matching

laserval — Tue, 26 Nov 2013 09:23:21 GMT

I need to extract one exception from each event and show the count in the form of chat.
The above example log is one event in which initially I extracted java.rmi.ServerException-> "Server exception"

You could have an extraction that creates a multivalue field. Then you could filter out ServerException and other generic ones when doing the stats and chart, so your chart can include any new exceptions that turn up.

Any suggestion on how to tackle this problem.

Extract the whole name, then categorize afterwards, e.g. stats count(eval(match(exception, "SQL"))) as SQLExceptions.

Re: Exception matching

prad18 — Wed, 27 Nov 2013 09:21:05 GMT

while posting comments slashes are being removed. I made typo with rex command that's why it was not working then i added assetion like ((w+.){2,6})(?w+b)(?<=Exception|NoClientInfoFound|DataAccessResourceFailureException) and it matched all exceptions.

Thanks a lot for help MuS

Re: Exception matching

prad18 — Wed, 27 Nov 2013 09:25:10 GMT

You could have an extraction that creates a multivalue field.

How can i do this, any example or doc?

Re: Exception matching

laserval — Wed, 22 Jan 2014 13:06:12 GMT

How can i do this, any example or doc?

You probably found a solution, but: rex max_match=0 ... will extract as many values as there are, and make the field multivalued. See http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/rex