topic Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string? in Splunk Search

How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

sickyb — Tue, 29 Dec 2015 16:23:21 GMT

I'm trying to create a dashboard where I count stacktraces in the logging. (the long term goal is to get rid off all stacktraces but we need to prioritize 🙂 )

To do this, I need to cut off the low level part of the stacktrace, the part that doesn't come from our code, but from the libraries that are packed with the distribution of the OS.

The cut-off point is easily recognized because it starts with at android.os, so I need to do something like:

eval action=substr(action,0,<xxx>)

where <xxx> is the position in the string that starts with "at android.os"

Any ideas on how to do this?

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

richgalloway — Tue, 29 Dec 2015 17:21:08 GMT

Are you married to using substr? If not, rex can do the job. Try

... | rex field=action "(?<action>.*) at android\.os" | ...

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

sickyb — Wed, 30 Dec 2015 09:04:05 GMT

Nope not married to substr but your regex leaves me with an error

Regex: unrecognized character after (? or (?-

So I added the fieldname after the ? leaving me with

rex field=action "(?/.*) at android\.os"

Which left me with the entire stacktrace once again. This led me to believe that the regex indeed matches the right string but then doesn't cut the rest of it. Beacause the stacktrace is sent from a mobile device it is compacted in a single line, no endlines there. So when I added mode=sed to the expression I got

Failed to initialize sed. cannot find sed command: (

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

richgalloway — Wed, 30 Dec 2015 13:08:03 GMT

The board dropped a key piece from my answer, which I have corrected. Try again.

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

sickyb — Wed, 30 Dec 2015 13:33:18 GMT

That is precisely what i did. but like i said that leaves me with the entire stacktrace instead of just the part before the "at android.os"

the editor for this q&a forum probably does some input sanitation throwing away the part with the triangular brackets
< >

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

richgalloway — Wed, 30 Dec 2015 13:36:40 GMT

Hmm... I wonder if rex needs separate field names. Try

rex field=action "(?<newAction>.*) at android\.os"

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

sickyb — Wed, 30 Dec 2015 14:09:25 GMT

Nope still the same.

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

richgalloway — Wed, 30 Dec 2015 14:15:04 GMT

Did you remove the 'mode=sed'? Can you share a stacktrace so I can make sure the regex is correct?

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

sickyb — Wed, 30 Dec 2015 14:37:30 GMT

java.lang.NullPointerException: Attempt to invoke virtual method 'android.content.SharedPreferences android.content.Context.getSharedPreferences(java.lang.String, int)' on a null object reference at rd.random.mized.a.a(SourceFile:26) at rd.random.mized.connectivity.statusapp.d.b(SourceFile:89) at rd.random.mized.connectivity.statusapp.d.a(SourceFile:50) at rd.random.mized.c.a.a(SourceFile:99) at rd.random.mized.c.a.a(SourceFile:49) at rd.random.mized.connectivity.statusapp.c.a(SourceFile:47) at rd.random.mized.connectivity.statusapp.c.a(SourceFile:28) at rd.random.mized.connectivity.ConnectionHandler$1.run(SourceFile:101) at android.os.Handler.handleCallback(Handler.java:739) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:145) at android.app.ActivityThread.main(ActivityThread.java:5832) at java.lang.reflect.Method.invoke(Native Method) at java.lang.reflect.Method.invoke(Method.java:372) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1399) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1194)

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

richgalloway — Thu, 31 Dec 2015 14:35:45 GMT

Thanks for the example event. This rex command works with that data.

rex field=action "(?<newAction>.*?) at android\.os"

Re: How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

sickyb — Tue, 05 Jan 2016 08:28:28 GMT

In the end creating a new field using this regex for the extraction worked.

^.*native-shell\;(?P<native_android_stacktrace>.*)\tat\ android.os.Handler

The native-shell part is added because the field extraction is done on the RAW data instead of the action field.
Learning something new every day 🙂 Let's continue doing that in 2016, Happy new year
and Thanks for the help.