Archive

whats the rex command to filter the special characters and extract only required fields?

Explorer

Hello experts,

logs looks something like this..

(java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException:...

null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
" java.util.concurrent.ExecutionException"

query should ignore the special characters before java and take only exception.

example: query should find "java.lang.IllegalArgumentException" from this log line "null\n\njava.lang.IllegalArgumentException".

I am able to pull exceptions which are not associated with special characters using rex "(?java?.[.\w]+Exception)" but

thanks

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

can you please provide full sample events and output you want?

0 Karma

Communicator

Hello!
Try this run anywhere search

| makeresults 
| eval _raw="null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
\" java.util.concurrent.ExecutionException\"" 
| rex field=_raw max_match=0 "(?<javaexception>java?.[.\w]+Exception)"

You can try something like this

| rex field=_raw (?<javaexception>java?.[.\w]+Exception)

OR

| rex field=_raw (?<javaexception>java.*Exception)
0 Karma

Explorer

ddint work. its not correct.

0 Karma

Communicator

I edited my answer. did you check?
Also, if its not correct can you elaborate by giving sample inputs and what output you want

0 Karma

Communicator

Try this run anywhere search

| makeresults 
| eval _raw="null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
\" java.util.concurrent.ExecutionException\"" 
| rex field=_raw max_match=0 "(?<java>(\S+|)java.\w+.*Exception)"
0 Karma

Explorer

no rex command is still not working.

0 Karma

Communicator

Can you please send me one full event? Also, please send the search query you're using.

0 Karma

Explorer
0 Karma

Communicator

For this, you need to use max_match=0 in the rex expression.

Use this query

rex field=_raw max_match=0 "(?<java>(\S+|)java.\w+.*Exception)"
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!