Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction - find exact two words and extract string after that

indeed_2000
Motivator
‎01-27-2021 07:57 AM

Hi

I want to find all "Error Message" in my log file and get everything after  that, with field extraction.

Here is my log:

2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format

2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List:
Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]
Data:
root: message
1: message.header
...

Here is expectation:

[0000000000000000] was not validated with [n{0,18}] format

[000000000000000D] was not validated with [n{0,18}] format

 

Thanks,

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-27-2021 09:29 AM

hi @indeed_2000 ,

Try this:

| makeresults 
| eval _raw="2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format" 
| append 
    [| makeresults 
    | eval _raw="2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List: Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]"] 
| rex "Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\W]+\]\s\w+)"

 

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-27-2021 09:29 AM

hi @indeed_2000 ,

Try this:

| makeresults 
| eval _raw="2021-01-26 23:55:55,265 ERROR APP-02-3452345 [Processor] Error Message, [00000000000000] was not validated with [n{0,18}] format" 
| append 
    [| makeresults 
    | eval _raw="2021-01-26 23:55:55,264 ERROR APP-02-2431234 [CPI] Error List: Severity: [0], Type: [FORMAT_ERROR], data: [message.body], object: [ID], message: [Error Message, [000000000000D] was not validated with [n{0,18}] format]"] 
| rex "Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\W]+\]\s\w+)"

 

If this reply helps you, an upvote/like would be appreciated.

Reply
Solved! Jump to solution

indeed_2000
Motivator
‎01-28-2021 12:52 PM

would you please write it on regex101?    https://regex101.com

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-28-2021 08:08 PM

Try this regex then,

Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\{\}\,]+\]\s\w+)

 

0 Karma
Reply
Solved! Jump to solution

indeed_2000
Motivator
‎01-28-2021 11:02 PM

Thank you, it work on regex101, but in splunk when i try to field extraction, use this as regex but return noting!

is it possible to replace something instead of last part to select everything after "Error Message", because this is unstructured log file and last part of line different.

Error Message,\s*(?<error_message>\[[\w]+\][\w\s]+\[[\w\{\}\,]+\]\s\w+)

 

also I try this but no result return!

"Error Message"(?<Errors>.*)

Any idea?

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-29-2021 02:24 AM

It should be "Error Message,\s*(?<Errors>.*)"

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...