topic Re: How to extract errorCode and errorDescription from my events? in Splunk Search

How to extract errorCode and errorDescription from my events?

splunker9999 — Wed, 26 Oct 2016 19:44:24 GMT

Hi ,

We need to extract few fields from below log events, these may look like JSON format.
Looking to extract Error code and error description from below events, we tried and unsuccessful.

2016-10-25 12:33:31,926 [http-00000:13111-2] INFO [org.apache.cxf.interceptor.LoggingInInterceptor ?] Inbound Message ---------------------------- 
ID: 18 Response-Code: 200
Encoding: UTF-8 
Content-Type: application/json;charset=UTF-8
Headers: {content-type=[application/json;charset=UTF-8], Date=[Tue, 25 Oct 2016 17:33:30 GMT], Expires=[Thu, 01 Jan 1970 00:00:00 GMT], Set-Cookie=[BrowserId=L8p9Eij0T4Sfp-INSP9zDw;Path=/;Domain=.salesforce;Expires=Sat, 24-Dec-2016 17:33:30 GMT], transfer-encoding=[chunked]} 

Payload: {"responseCode":"201","messageId":"704c8163-13d4-42b8-a684-94b9d23e849e",
"lead":[{"responseCode":"201","leadID":null,"errors":[{"errorField":"head","errorDescription":"The value of email is invalid.","errorCode":"Value_Invalid_E400"},{"errorField":"bestTimeToContact","errorDescription":"The value of bestTimeToContact is invalid.","errorCode":"Value_Invalid_E400"}]}]} 
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2016-10-25 12:33:31,986 [http-000000:13111-2] INFO [org.apache.cxf.interceptor.LoggingOutInterceptor ?] Outbound Message --------------------------- 
ID: 17 
Response-Code: 200 
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Tue, 25 Oct 2016 17:33:31 GMT]}
Payload: {"errors":[{"errorCode":"Value_Invalid_E400","errorDescription":"The value of email is invalid.","errorField":"head"},{"errorCode":"Value_Invalid_E400","errorDescription":"The value of bestTimeToContact is invalid.","errorField":"bestTimeToContact"}]} --------------------------------------
Collapse

Tried below command to extract but unsuccessful:

    | rex max_match=0 "errorCode\"\:\s\"(?P<error_code>[^\"])+" | rex max_match=0 "errorDescription\"\:\s\"(?P<error_desc>[^\"])+"

Thanks

Re: How to extract errorCode and errorDescription from my events?

somesoni2 — Wed, 26 Oct 2016 19:50:51 GMT

Try like this

your base search |rex max_match=0 "errorDescription\"\:\"(?<errorDescription>[^\"]+).+errorCode\"\:\"(?<errorCode>[^\"]+)"

See the regex101 validation https://regex101.com/r/BxjoRR/1

Re: How to extract errorCode and errorDescription from my events?

gokadroid — Thu, 27 Oct 2016 05:21:15 GMT

Since in your sample data both events (I am assuming event split at date time) have errorCode and errorDescription in different sequences, once errorCode followed by errorDescription and then in other event in vice versa sequence, hence try this below:

1) rex out your error code and error description as multivalue field:

your Base query that returns the above two events
| rex max_match=0 field=_raw "\"errorCode\":\"(?<errorCode>[^\"]+)\""
| rex max_match=0 field=_raw "\"errorDescription\":\"(?<errorDesc>[^\"]+)\""

2) Zip these multivalue fields in myField so you end up with values like myField=(errorCode1,errorDesc1 ) and then expand the field

| eval myField=mvzip( errorCode, errorDesc)
| mvexpand myField

3) Using the "," as delimiter in myField, split up the values again as errC and errD and then table them.

|makemv myField delim=","
| eval errC=mvindex(myField, 0)
| eval errD=mvindex(myField, 1)
| table errC, errD

Full blown query here:

    yourBaseQuery
| rex max_match=0 field=_raw "\"errorCode\":\"(?[^\"]+)\""
| rex max_match=0 field=_raw "\"errorDescription\":\"(?[^\"]+)\""
| eval myField=mvzip( errorCode, errorDesc)
| mvexpand myField
|makemv myField delim=","
| eval errC=mvindex(myField, 0)
| eval errD=mvindex(myField, 1)
| table errC, errD

Re: How to extract errorCode and errorDescription from my events?

gcusello — Fri, 28 Oct 2016 12:41:38 GMT

Hi splunker9999,
Maybe I don't understand what is your problem, but with these regexes you can extract your fields:

| rex "errorCode\"\:\"(?<errorCode>[^\"]*)" | rex "errorDescription\"\:\"(?<errorDescription>[^\"]*)"

maybe the problem could be that in every event you have more values for each field.
Bye.
Giuseppe

Re: How to extract errorCode and errorDescription from my events?

aaraneta_splunk — Tue, 08 Nov 2016 02:09:47 GMT

Hi @splunker9999 - Looks like you have some good feedback about your question below. If one of the answers helped to provide a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If no, please leave a comment with some feedback so someone can try to help more. Thanks!