How to replace the field value which contains "ORA...

sushe10 · ‎08-01-2017

I have my search query as:
index=itf host ="it*" bsName=something logLevel=ERROR bsBatchName="something" | dedup message | table bsName, bsbatchName, message

The table result of this has message column with the below data which i need to replace with just (ORA-00001: unique constraint):
Exception caught while creating sales statistics, OneByOne. Order=873250418, Receiver='MHS', Error: PreparedStatementCallback; SQL [INSERT INTO MHS_STATS_SENT_LOG (SORD_NO, MHS_STATS_SENT) VALUES (?, ?)]; ORA-00001: unique constraint (MTCSALES.MHS_STATS_LOG_PK) violated ; nested exception is java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (MTCSALES.MHS_STATS_LOG_PK) violate

It's like any message filed value which has "ORA-00001: unique constraint" should be replaced with only "ORA-00001: unique constraint".

3no · ‎08-02-2017

Hi,

Try this :

index=itf host ="it*" bsName=something logLevel=ERROR bsBatchName="something" | dedup message | eval message=if(like(_raw, "ORA-00001: unique constraint"), "ORA-00001: unique constraint", message) | table bsName, bsbatchName, message

3no.

How to replace the field value which contains "ORA-00001: unique constraint" with "ORA-00001: unique constraint" ??

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

How to replace the field value which contains "ORA-00001: unique constraint" with "ORA-00001: unique constraint" ??

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...