Dashboards & Visualizations

How to write a regex to get the text in red  as "ErrorType"?

sphiwee
Contributor

2022-05-08 19:55:05 [machine-run-433303-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] MachineTask [ERROR] UnsupportedCommandException: unknown command: Cannot call non W3C standard command while in W3C mode
2022-05-08 19:55:03 [machine-run-333503-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] UiRobotCapabilities [ERROR] JavascriptException: javascript error: Unexpected identifier (Session info: chrome=94.0.4606.71)
2022-05-08 19:35:37 [machine-run-43333-hit-7496952-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806966] MachineTask [ERROR] TimeoutException: Expected condition failed: waiting for element to be clickable: [unknown locator] (tried for 60 second(s) with 500 MILLISECONDS interval)


I have above extract from our logs I would like to write a regex to get the text in red  as "ErrorType"

Labels (3)
Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

If the field is _raw then

| rex ".*\[ERROR\]\s+(?<ErrorType>.*)"

Otherwise add 'field=X' after "rex".

This requires that the data you want must come after the last sequence of [ERROR] and continue to the end of the line.

Full run anywhere example is

| makeresults 
| eval _raw="2022-05-08 19:55:05 [machine-run-433303-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] MachineTask [ERROR] UnsupportedCommandException: unknown command: Cannot call non W3C standard command while in W3C mode|2022-05-08 19:55:03 [machine-run-333503-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] UiRobotCapabilities [ERROR] JavascriptException: javascript error: Unexpected identifier (Session info: chrome=94.0.4606.71)|2022-05-08 19:35:37 [machine-run-43333-hit-7496952-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806966] MachineTask [ERROR] TimeoutException: Expected condition failed: waiting for element to be clickable: [unknown locator] (tried for 60 second(s) with 500 MILLISECONDS interval)"
| eval data=split(_raw, "|")
| mvexpand data
| table data
| rename data as _raw
| rex ".*\[ERROR\]\s+(?<ErrorType>.*)"
0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...