topic Re: How can I create a field for error messages? in Splunk Search

How can I create a field for error messages?

123Janardhan — Wed, 30 Aug 2017 12:26:58 GMT

Hello All,

I am beginner of Splunk.

I have a requirement like "we are having multiple applications in our system. When ever we see any errors transactions for any of the application. I have to fetch application name and error message into two different fields so that I can display it in table format."

Could you please let me know how to fetch entire error message into a single field. Error message will not be same.

Example Log: 2017:12:25:45 AAA(application name) - timeout error (error message)
2017:12:25:49 BBB(application name) - Please enter correct details (error message)
2017:12:25:45 AAA(application name) - No data found (error message)
Thanks,

Re: How can I create a field for error messages?

fbehe — Wed, 30 Aug 2017 12:34:04 GMT

You can do that using a rex command

your search
| rex field=<your field> "\d+:\d+:\d+:\d+ (?P<triplet>.+)\((?P<app>.+)\) - (?P<error>.+) \((?P<message>.*)\)$"

This will add the triplet field which corresponds to AAA or BBB in your example, app field that contains your "application name", error which will contain messages such as "No data found" and finally message that will contain the error message.

Re: How can I create a field for error messages?

jkat54 — Wed, 30 Aug 2017 12:36:57 GMT

You can do in the search with rex:

| rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | table appName errorMessage

Or you can do so via props.conf on the search heads:

[sourcetypeName]
EXTRACT-appNameErrorMessage = \((?<appName>.*)\).+\((?<errorMessage>.*)\)

Re: How can I create a field for error messages?

123Janardhan — Wed, 30 Aug 2017 12:50:25 GMT

Do i need to pass explicitly appName and errormessage. Is it not possible to get from events. Because we are having different types of error messages for the same application.

Re: How can I create a field for error messages?

jkat54 — Thu, 31 Aug 2017 00:59:37 GMT

That will be the field name that contains a value that IS your application name or error message.

You can change it to whatever you want your field names to be:

Run it against your data and look at the interesting fields on the left side of your screen.

Re: How can I create a field for error messages?

jkat54 — Thu, 31 Aug 2017 01:05:20 GMT

 | rex "\((?<field1>.*)\).+\((?<field2>.*)\)" | table field1 field

The above would creat two fields, field1 and field2. Field1 would be your application names and field2 would be your error messages.

Now you can have fun with your new fields.

| rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | stats values(errorMessage) by appName

 | rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | stats count by errorMessage, appName

Etc

Re: How can I create a field for error messages?

jkat54 — Thu, 31 Aug 2017 07:39:20 GMT

If you're saying AAA is the app name and "timeout error" is the error message then this could be your regex:

\d{4}:\d\d:\d\d:\d\d\s+(?<application>.*)\s-\s(?<error>.*)