Splunk Enterprise

field extraction - find exact two words and extract string after that

mehrdad_2000
Path Finder

Hi

I want to find all "Error Message" in my log file and get everything after  that, with field extraction.

Here is my log:

2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format

2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List:
Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]
Data:
root: message
1: message.header
...

Here is expectation:

[0000000000000000] was not validated with [n{0,18}] format

[000000000000000D] was not validated with [n{0,18}] format

 

Thanks,

Labels (3)
0 Karma
1 Solution

manjunathmeti
Champion

hi @mehrdad_2000 ,

Try this:

| makeresults 
| eval _raw="2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format" 
| append 
    [| makeresults 
    | eval _raw="2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List: Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]"] 
| rex "Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\W]+\]\s\w+)"

 

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti
Champion

hi @mehrdad_2000 ,

Try this:

| makeresults 
| eval _raw="2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format" 
| append 
    [| makeresults 
    | eval _raw="2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List: Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]"] 
| rex "Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\W]+\]\s\w+)"

 

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

mehrdad_2000
Path Finder

would you please write it on regex101?    https://regex101.com

0 Karma

manjunathmeti
Champion

Try this regex then,

Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\{\}\,]+\]\s\w+)

 

0 Karma

mehrdad_2000
Path Finder

Thank you, it work on regex101, but in splunk when i try to field extraction, use this as regex but return noting!

is it possible to replace something instead of last part to select everything after "Error Message", because this is unstructured log file and last part of line different.

Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\{\}\,]+\]\s\w+)

 

also I try this but no result return!

"Error Message"(?<Errors>.*)

Any idea?

0 Karma

manjunathmeti
Champion

It should be "Error Message,\s*(?<Errors>.*)"

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!