Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: field extraction - find exact two words and ex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I want to find all "Error Message" in my log file and get everything after that, with field extraction.
Here is my log:
2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format
2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List:
Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]
Data:
root: message
1: message.header
...
Here is expectation:
[0000000000000000] was not validated with [n{0,18}] format
[000000000000000D] was not validated with [n{0,18}] format
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @indeed_2000 ,
Try this:
| makeresults
| eval _raw="2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format"
| append
[| makeresults
| eval _raw="2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List: Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]"]
| rex "Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\W]+\]\s\w+)"
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @indeed_2000 ,
Try this:
| makeresults
| eval _raw="2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format"
| append
[| makeresults
| eval _raw="2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List: Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]"]
| rex "Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\W]+\]\s\w+)"
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would you please write it on regex101? https://regex101.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this regex then,
Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\{\}\,]+\]\s\w+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, it work on regex101, but in splunk when i try to field extraction, use this as regex but return noting!
is it possible to replace something instead of last part to select everything after "Error Message", because this is unstructured log file and last part of line different.
Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\{\}\,]+\]\s\w+)
also I try this but no result return!
"Error Message"(?<Errors>.*)
Any idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should be "Error Message,\s*(?<Errors>.*)"
SOC4Kafka - New Kafka Connector Powered by OpenTelemetry
Your Voice Matters! Help Us Shape the New Splunk Lantern Experience
Building Momentum: Splunk Developer Program at .conf25
