Alerting

Extract a field

vineela
Path Finder

I have few events whereas few events are configured as keyvalue pairs and few are not. when i am using search time extractions it is not taking.

Example event : 09/Jun/2021:15:45:12 +1000 [DefaultJmsListenerContainer-1] [correlationId=] ERROR au.com.commbank.pso.payments.pds.listener.util.JmsInExceptionListener - Wed Jun 09 05:45:12 UTC 2021,,,,,PDS Event Microservice Listener,,PDS_ERR_EVENT_MICROSERVICE_0003,PDS Event Microservice connection to MQ has failed,,,,,,,,,,,,

 

09/Jun/2021:15:45:02 +1000 [DefaultJmsListenerContainer-1] [correlationId=] ERROR au.com.commbank.pso.payments.pds.listener.util.JmsInExceptionListener - Wed Jun 09 05:45:02 UTC 2021,,,,,PDS Event Microservice Listener,,PDS_ERR_EVENT_MICROSERVICE_0003,PDS Event Microservice connection to MQ has failed,,,,,,,,,,,,

 

I need to extract only "PDS_ERR_EVENT_MICROSERVICE_0003" as errorcode and "PDS Event Microservice connection to MQ has failed" as errorMessage .

Can anyone help me with either regex or any other way to extract only these values.

Because i need to chart values and create alert based on this.

Thanks in Advance

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex "([^,]*,){7}(?<errorcode>[^,]*),(?<errormessage>[^,]*),"

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "([^,]*,){7}(?<errorcode>[^,]*),(?<errormessage>[^,]*),"
0 Karma

vineela
Path Finder

Yes, That worked perfectly. Thanks for the quick response

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...