Getting Data In
Highlighted

How to parse out a single line following a static line in a java stack trace?

New Member

Hello,

I am new to Splunk and attempting to parse and display a single line of text from a java stack trace captured in a single event.

Here is a sample of the stack trace:

com.sun.proxy.$Proxy90.executeOpCodeForXml(Unknown Source)
ca.shaw.billing.integration.core.BrmGateway.buildConnection(BrmGateway.java:61)
ca.shaw.billing.integration.core.BrmGateway.executeOpCodeForXml(BrmGateway.java:39)
ca.shaw.billing.tasks.account.overview.AccountOverviewTask.getAgingBucketsResponseFlist(AccountOverviewTask.java:93)
ca.shaw.billing.tasks.account.overview.AccountOverviewTask.getAccountOverviewInfo(AccountOverviewTask.java:64)

I have built a "top" display for all the events which find this stack trace over a given period of time using the following query:

index=brm source=/opt/brm/weblogic/Oracle/Middleware/user_projects/domains/billing_service_domain/servers/* "[STUCK] ExecuteThread" "socketRead0" | rex field=_raw "X_SHAW_TRANSACTION_ID:(?.*)" 
| eval myTime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")
| dedup theTransaction 
|  top 0 myTime,theTransaction

What I am having trouble with is parsing out the line that follows a static line which is in all stack traces:

ca.shaw.billing.integration.core.BrmGateway.executeOpCodeForXml(BrmGateway.java:39)

...then add this result to the display as well.

From above, the line I would want is:

ca.shaw.billing.tasks.account.overview.AccountOverviewTask.getAgingBucketsResponseFlist(AccountOverviewTask.java:93)

Any help would be appreciated!

0 Karma
Highlighted

Re: How to parse out a single line following a static line in a java stack trace?

Builder

Hello enkidu999,

If you want to parse out the line following a line in an event, here is how you would do it. Let's take your sample data:


com.sun.proxy.$Proxy90.executeOpCodeForXml(Unknown Source)
ca.shaw.billing.integration.core.BrmGateway.buildConnection(BrmGateway.java:61)
ca.shaw.billing.integration.core.BrmGateway.executeOpCodeForXml(BrmGateway.java:39)
ca.shaw.billing.tasks.account.overview.AccountOverviewTask.getAgingBucketsResponseFlist(AccountOverviewTask.java:93)
ca.shaw.billing.tasks.account.overview.AccountOverviewTask.getAccountOverviewInfo(AccountOverviewTask.java:64)

To get the line following ca.shaw.billing.integration.core.BrmGateway.executeOpCodeForXml(BrmGateway.java:39) you would do something like this:

| rex "ca\.shaw\.billing\.integration\.core\.BrmGateway\.executeOpCodeForXml\(BrmGateway\.java:39\)[\r\n]+(?<LineIWant>[^\r\n]+)"

(When using rex you have to escape special characters in regex, like the period . or parenthesis () with a backslash character \ as seen above)
How does this look?
In the following image I create a "dummy" event using your 5 lines of data. Then I apply the | rex command after the dummy event is created. Next I print a table with the _raw field and the captured field (LineIWant in this case, but you can change that to whatever you want it to be in the rex command)
Screen Capture:
alt text

View solution in original post

0 Karma
Highlighted

Re: How to parse out a single line following a static line in a java stack trace?

New Member

Hello jnudell_2,
Thanks for showing me a sample of how you would set it up, you saved me hours of searching forums and trial+error, being new to Splunk.
Thanks!

0 Karma
Highlighted

Re: How to parse out a single line following a static line in a java stack trace?

Motivator

@enkidu999,

Try | rex field=_raw "ca\.shaw\.billing\.integration\.core\.BrmGateway\.executeOpCodeForXml\(BrmGateway\.java:39\)(?<stack_trace_line>[^)]+\))" command to extract that line. This will extract the line you want in field stack_trace_line.

Hope this helps!!!

0 Karma
Highlighted

Re: How to parse out a single line following a static line in a java stack trace?

New Member

Hello VatsalJagani,

Your rex worked great!

Thanks!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.