- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Field values with spaces
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I'm trying to use a field that has values that have spaces.
For example: errorMsg=Requested tickets could not be reserved
another example: errorMsg=System.ObjectDisposedException: The factory was disposed and can no longer be used. Object name: 'this'.
The problem is that the messages contain spaces. All of the messages are different in this field, some longer with less spaces and some shorter. When I do a stats count command on the errorMsg field but all I get is the first word of the string.
Any ideas on how I can correct this?
I also tried using the Field Extractor but alas no good.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.
source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both of these seemed to be correct answers. The first solves inline and the second works great as an extraction. Thanks for the help guys, I greatly appreciate it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.
source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes after the = sign there is always a message like examples above. It is NEVER NULL. When I use the stats command I only get the first word of the message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i meant after = sign do you have the error message or do you get something else??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but it is always more than one word
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No sometimes it is something more simple as: errorMsg=Requested tickets could not be reserved
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you have the entire sentence always as the error message after errorMsg=?
Data Preparation Made Easy: SPL2 for Edge Processor
Introducing Edge Processor: Next Gen Data Transformation
Tips & Tricks When Using Ingest Actions
