Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a regex to get the text in red  as "ErrorType"?

sphiwee
Contributor
‎05-08-2022 01:59 PM

2022-05-08 19:55:05 [machine-run-433303-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] MachineTask [ERROR] UnsupportedCommandException: unknown command: Cannot call non W3C standard command while in W3C mode
2022-05-08 19:55:03 [machine-run-333503-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] UiRobotCapabilities [ERROR] JavascriptException: javascript error: Unexpected identifier (Session info: chrome=94.0.4606.71)
2022-05-08 19:35:37 [machine-run-43333-hit-7496952-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806966] MachineTask [ERROR] TimeoutException: Expected condition failed: waiting for element to be clickable: [unknown locator] (tried for 60 second(s) with 500 MILLISECONDS interval)


I have above extract from our logs I would like to write a regex to get the text in red  as "ErrorType"

Labels (3)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-08-2022 04:40 PM

If the field is _raw then

| rex ".*\[ERROR\]\s+(?<ErrorType>.*)"

Otherwise add 'field=X' after "rex".

This requires that the data you want must come after the last sequence of [ERROR] and continue to the end of the line.

Full run anywhere example is

| makeresults 
| eval _raw="2022-05-08 19:55:05 [machine-run-433303-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] MachineTask [ERROR] UnsupportedCommandException: unknown command: Cannot call non W3C standard command while in W3C mode|2022-05-08 19:55:03 [machine-run-333503-hit-7496951-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806968] UiRobotCapabilities [ERROR] JavascriptException: javascript error: Unexpected identifier (Session info: chrome=94.0.4606.71)|2022-05-08 19:35:37 [machine-run-43333-hit-7496952-step-5389] [ATMX Logs Request/Extraction/Attach 2.5.2] [Business Process-Fraud Logs Card v2.5.2 (ATMXLogAttach)] [C806966] MachineTask [ERROR] TimeoutException: Expected condition failed: waiting for element to be clickable: [unknown locator] (tried for 60 second(s) with 500 MILLISECONDS interval)"
| eval data=split(_raw, "|")
| mvexpand data
| table data
| rename data as _raw
| rex ".*\[ERROR\]\s+(?<ErrorType>.*)"
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...