topic Re: Extract Text from logs in Splunk Search

Extract Text from logs

ppanchal — Tue, 17 Oct 2017 19:34:37 GMT

Below is my log,

CustomItemContainerGenerator.GenerateNextLocalContainer: Node is not the current one. in Xceed.Wpf.DataGrid.v4.5
Stack trace:
at Xceed.Wpf.DataGrid.CustomItemContainerGenerator.GenerateNextLocalContainer(Boolean& isNewlyRealized)
at Xceed.Wpf.DataGrid.CustomItemContainerGenerator.System.Windows.Controls.Primitives.IItemContainerGenerator.GenerateNext(Boolean& isNewlyRealized)
at Xceed.Wpf.DataGrid.Views.TableflowViewItemsHost.GenerateContainer(ICustomItemContainerGenerator generator, Int32 index, Boolean measureInvalidated, Boolean delayDataContext)
at Xceed.Wpf.DataGrid.Views.TableflowViewItemsHost.GenerateContainers(I

How can I extract only 'Node is not the current one' from the log and display?

Re: Extract Text from logs

cpetterborg — Tue, 17 Oct 2017 22:06:20 GMT

Is that all you want to extract, or is there something associated with that string that you want to extract? If all you want to do is display that one field, there seem to be many better ways of doing that. What are you going to do with that information from the events? If all you want to do is count the number of events that contain that, then you don't have to extract that data, just search for it and do a stats count on the results. So I'm not sure what you need from such an extraction. Please help me understand.

Re: Extract Text from logs

sowings — Tue, 17 Oct 2017 23:40:09 GMT

Time to learn some regex!

Re: Extract Text from logs

ppanchal — Wed, 18 Oct 2017 02:23:44 GMT

So I have similar such errors in my logs and I want to extract them and display only the unique ones with only the error message and nothing else. stats count does not help me here.

Re: Extract Text from logs

ppanchal — Wed, 18 Oct 2017 02:24:04 GMT

Can you help me with the regex?

Re: Extract Text from logs

cpetterborg — Wed, 18 Oct 2017 04:04:54 GMT

Probably, but what is the point of extracting a constant text value. You don't need regex to do that. If you want to extract the message that comes after the colon to the first period, then use:

... | rex "^\S+:\s*(?P<mess>[^.]+)"

Re: Extract Text from logs

ppanchal — Tue, 24 Oct 2017 19:36:35 GMT

This did not help.
It gives me the output from starting of the log to the first period and not from the colon to first period.

Please help.

Re: Extract Text from logs

alemarzu — Tue, 24 Oct 2017 20:03:18 GMT

Hi there @ppanchal

What about this one ... | rex ":\s(?<text>[\w\s]+)\.\s" | stats count by text

Re: Extract Text from logs

ppanchal — Tue, 24 Oct 2017 20:43:04 GMT

Thanks that worked.

One more question,

How can I extract 'An entry with the same key already exists' from the below phrase,

423160139776 An entry with the same key already exists. in System Stack trace

Re: Extract Text from logs

alemarzu — Wed, 25 Oct 2017 13:26:33 GMT

This one should work for both cases.

... | rex "(?:\s|\d+\s)(?<text>[\w\s]+)\.\s" | stats count by text

Hope it helps.

Remember to accept an answer to help future readers find the solution.

Re: Extract Text from logs

sshelly_splunk — Thu, 02 Nov 2017 18:55:31 GMT

If you only want to extract that exact text, than:

 (?P<myfield>Node is not the current one\.)