- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- How to display only the first line of stacktrace f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to display only the first line of stacktrace from each stacktrace in results
We have exception stacktrace in logs and while searching it in splunk, each stacktrace show all the lines from trace. We would like to search and display only the first line of each stacktrace from the searched results. Please suggest how to acheive this?
Thanks in advance !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could also do this
rex field=exception "(?<shortmessage>[^\r\n])"
which I use with this other bit to get a nice look at "caused by" too:
| rex field=exception "(?<shortmessage>[^\r\n])" | eval shorter_msg=substr(shortmessage,1,180) | rex field=exception "Caused by: (?<caused_by>[^\r\n])" | stats count by level,shortmessage,caused_by | sort count desc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since telling someone (and all others who google their way here) to RTFM on REGEX is basically worthless, I thought I'd share a solution which actually worked:
rex field=exception "(?<shortmessage>.*)"
This gets the first line of a stack trace.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to the good advice from chaker ...
If you have the possibility to make changes at the log-source/appender i would recommend to try to cut the output from this one, down from the whole stack trace to just the first line or first few lines ... this will same you money and resource on the splunk side.
Another option would be to set up something like SEDCMD or a transforms to remove the actual data from the events at index-time, this will also save you some money but will cost you resources splunk-wise .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could extract the first line into a new field using the rex command, and use regular expression to define or identify the end of the line.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Rex
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
