Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a regex to get the text in red  as "ErrorType"?

sphiwee
Contributor
‎05-08-2022 01:59 PM

2022-05-08 19:55:05 [machine-run-433303-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] MachineTask [ERROR] UnsupportedCommandException: unknown command: Cannot call non W3C standard command while in W3C mode
2022-05-08 19:55:03 [machine-run-333503-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] UiRobotCapabilities [ERROR] JavascriptException: javascript error: Unexpected identifier (Session info: chrome=94.0.4606.71)
2022-05-08 19:35:37 [machine-run-43333-hit-7496952-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806966] MachineTask [ERROR] TimeoutException: Expected condition failed: waiting for element to be clickable: [unknown locator] (tried for 60 second(s) with 500 MILLISECONDS interval)


I have above extract from our logs I would like to write a regex to get the text in red  as "ErrorType"

Labels (3)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2022 04:40 PM

If the field is _raw then

| rex ".*\[ERROR\]\s+(?<ErrorType>.*)"

Otherwise add 'field=X' after "rex".

This requires that the data you want must come after the last sequence of [ERROR] and continue to the end of the line.

Full run anywhere example is

| makeresults 
| eval _raw="2022-05-08 19:55:05 [machine-run-433303-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] MachineTask [ERROR] UnsupportedCommandException: unknown command: Cannot call non W3C standard command while in W3C mode|2022-05-08 19:55:03 [machine-run-333503-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] UiRobotCapabilities [ERROR] JavascriptException: javascript error: Unexpected identifier (Session info: chrome=94.0.4606.71)|2022-05-08 19:35:37 [machine-run-43333-hit-7496952-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806966] MachineTask [ERROR] TimeoutException: Expected condition failed: waiting for element to be clickable: [unknown locator] (tried for 60 second(s) with 500 MILLISECONDS interval)"
| eval data=split(_raw, "|")
| mvexpand data
| table data
| rename data as _raw
| rex ".*\[ERROR\]\s+(?<ErrorType>.*)"
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...