All Apps and Add-ons

Field values with spaces

tkwaller
Builder

Hello

I'm trying to use a field that has values that have spaces.

For example: errorMsg=Requested tickets could not be reserved

another example: errorMsg=System.ObjectDisposedException: The factory was disposed and can no longer be used. Object name: 'this'.

The problem is that the messages contain spaces. All of the messages are different in this field, some longer with less spaces and some shorter. When I do a stats count command on the errorMsg field but all I get is the first word of the string.

Any ideas on how I can correct this?

I also tried using the Field Extractor but alas no good.

Thank you!

0 Karma
1 Solution

linu1988
Champion

Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.

source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error

Thanks

View solution in original post

0 Karma

tkwaller
Builder

Both of these seemed to be correct answers. The first solves inline and the second works great as an extraction. Thanks for the help guys, I greatly appreciate it!

0 Karma

linu1988
Champion

Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.

source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error

Thanks

0 Karma

tkwaller
Builder

yes after the = sign there is always a message like examples above. It is NEVER NULL. When I use the stats command I only get the first word of the message

0 Karma

linu1988
Champion

i meant after = sign do you have the error message or do you get something else??

0 Karma

tkwaller
Builder

but it is always more than one word

0 Karma

tkwaller
Builder

No sometimes it is something more simple as: errorMsg=Requested tickets could not be reserved

0 Karma

linu1988
Champion

do you have the entire sentence always as the error message after errorMsg=?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...