Hi,
I am quite new to splunk platform. Can you please help me out here with my requirement:
I have to write a logic in my query where if I encounter a particular text in the strings of data I need to pass that text as an entry in my table. Please refer to the following example.
I have a line of data like: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
(OR)
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580
If I encounter data 52e or data 775 in the line of text I need to make an entry in my result table a something like this:
subject error XFF XMSFCIP
xxxxxx data 52e xxxxxxxx xx.xxx.xx.xxx
xxxxxx data 775 xxxxxxxx xx.xxx.xx.xxx
xxxxxx data 775 xxxxxxxx xx.xxx.xxx.xx
Any help is greatly appreciated!
Thanks in advance
Hi
Use the strings you are looking for to filter the results, so:
source=yoursource index=yourindex "data 775" OR "data 52e"
Then use rex to extract the error code, like this :
| rex field=_raw "error\scode\s(?<error>\d+)"
( and do the same with the remaining fields I can't understand from your sample, subject, XFF and XMSFCIP)
And finally table everything
| table subject, error, XFF, XMSFCIP
Thank you, for your suggestion.
| rex field=errorLDAP "AcceptSecurityContext error,\s(?[^,]+),"
The above worked where errorLDAP holds either (I wrote an eval logic to consume only below string of data) :
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
(OR)
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580
@rakeshyv0807, Based on your question and sample data, if only assistance required by you is for extracting error
field you can try the following rex
command
<YourBaseSearch> "javax.naming.AuthenticationException:" "comment: AcceptSecurityContext error"
| rex "error,\s(?<error>[^,]+),"
If the remaining fields i.e. subject XFF XMSFCIP are also present in the sample log provided, please let us know their corresponding values so that we can assist you with those regular expressions as well.
| rex field=errorLDAP "AcceptSecurityContext error,\s(?[^,]+),"
The above worked where errorLDAP holds either (I wrote an eval logic to consume only below string of data) :
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
(OR)
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580
Sorry your issue is not clear? Can you paste code and data as code using the code button i.e. 101010
so that special characters do not escape?
Have you tried the suggested query? What is the final output you need? Are all the fields already extracted or you need assistance with the field extraction? Please add more details so that community members can assist.