How to replace the field value which contains "ORA...

sushe10 · ‎08-01-2017

I have my search query as:
index=itf host ="it*" bsName=something logLevel=ERROR bsBatchName="something" | dedup message | table bsName, bsbatchName, message

The table result of this has message column with the below data which i need to replace with just (ORA-00001: unique constraint):
Exception caught while creating sales statistics, OneByOne. Order=873250418, Receiver='MHS', Error: PreparedStatementCallback; SQL [INSERT INTO MHS_STATS_SENT_LOG (SORD_NO, MHS_STATS_SENT) VALUES (?, ?)]; ORA-00001: unique constraint (MTCSALES.MHS_STATS_LOG_PK) violated ; nested exception is java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (MTCSALES.MHS_STATS_LOG_PK) violate

It's like any message filed value which has "ORA-00001: unique constraint" should be replaced with only "ORA-00001: unique constraint".

3no · ‎08-02-2017

Hi,

Try this :

index=itf host ="it*" bsName=something logLevel=ERROR bsBatchName="something" | dedup message | eval message=if(like(_raw, "ORA-00001: unique constraint"), "ORA-00001: unique constraint", message) | table bsName, bsbatchName, message

3no.

How to replace the field value which contains "ORA-00001: unique constraint" with "ORA-00001: unique constraint" ??

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation