Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I remove lines containing stack trace?

asalinas
New Member
‎01-02-2019 10:02 AM

Hello,

I just started to use Splunk to search and generate reports from logs collected from a Java application.

Sometimes the logs contain errors and the corresponding stack trace.

To generate reports I would like to remove all the lines containing the stack traces.

Because those lines don't start with a timestamp I'm wondering if it is possible to remove all the log lines that don't start with a time stamp.

But if there are other ways to accomplish the same thing I'd appreciate any help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-02-2019 06:12 PM

I am assuming that you are OK with the traces being in the events, but for this report, you need to strip them. Try adding this to your existing search (you may need to adjust the RegEx to match your timestamp format):

|  rex mode=sed "s/(?msi)^(?!\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}).*//"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-02-2019 06:12 PM

I am assuming that you are OK with the traces being in the events, but for this report, you need to strip them. Try adding this to your existing search (you may need to adjust the RegEx to match your timestamp format):

|  rex mode=sed "s/(?msi)^(?!\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}).*//"
0 Karma
Reply
Solved! Jump to solution

asalinas
New Member
‎01-03-2019 09:45 AM

Wow!! you can use sed in the search box? Thank you woodcock, that does exactly what I wanted.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎01-02-2019 10:49 AM

Yes, you can use the regex command in your search to kill all records that don't have your particular timestamp format at the beginning. If that was "2019-01-01 12:34:56.789: then it might look like this...

 | regex _raw="^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}.*"

OR 

| search match( _raw,"^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}")

You could also simplify the regex a bit, as long as the data isn't going to start with anything that almost resembles a timestamp.

| search match( _raw,"^[-0-9]{10}\s+[0-9:.]{12}")
0 Karma
Reply
Solved! Jump to solution

asalinas
New Member
‎01-02-2019 12:01 PM

Hi DalJeanis, Thank you for your help.
A regular expression like that (minus the _raw field) works to process the a logs using something like grep, but it doesn't work on Splunk.
I seems to me Splunk is grouping the line above the stack trace that contains a timestamp and all the stack trace lines (without the timestamp) into one event.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...