Dashboards & Visualizations

how to extract below fields from raw logs

aditsss
Motivator

][ERROR][pub-#32738][AssociationRemoteProcessor] Exception while running association: javax.cache.CacheException: class org.apache.ignite.IgniteInterrup

[2023-11-09T06:06:02,015][ERROR][pub-#19230][FedPledgingFlaggingRemoteProcessor] No rejection criteria found for the specified key: CO.

Hi ,

Can anyone guide me how to extract the highlighted text.

Labels (4)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @aditsss ... if any reply solved your query, could you pls accept it as a solution.. 

karma points / upvotes are appreciated, thanks. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aditsss ,

please try this regex:

| rex ".*\]\s*(?<msg>[^:]+)"

that you can test at https://regex101.com/r/7yLHPr/1

Ciao.

Giuseppe 

inventsekar
SplunkTrust
SplunkTrust

Hi @aditsss 

Please check this:

 

| makeresults
| eval _raw="[AssociationRemoteProcessor] Exception while running association: javax"
| rex field=_raw "\]\s(?<rexField>.*)\:"
| table _raw rexField

 

this rex produces this output:

_raw rexField

[AssociationRemoteProcessor] Exception while running association: javaxException while running association

richgalloway
SplunkTrust
SplunkTrust

It would help to know what you've tried so far, but perhaps this will help.

| rex "] (?<field>.*?):"
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...