Re: regex everything after last colon in each line

indeed_2000 · ‎06-28-2020

I have log file like this,want regex everything after last colon in each line

input:

2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053: Could not commit.

2020-06-28 14:24:41,322 ERROR In--111111[Processor] FATAL: exception in process: [GG_010] Failed >> 0060: required to perform this operation (extended persistence context).

2020-06-28 15:03:32,710 ERROR In--111111 [Processor] FATAL: exception in process: javax.RollbackException: ARJUNA016053:Could not update.

output:

Could not commit

required to perform this operation (extended persistence context)

Could not update

Thanks

isoutamo · ‎06-28-2020

Hi

based on your example.

| rex field=_raw "\d{4,}:(?<message>[^:]+)"

r. Ismo

indeed_2000 · ‎06-28-2020

It’s different sometimes locate in other position

e.g not work on this, that’s why i said “latest” colon position and number of colon may be different

input:

2020-06-28 12:08:21,777 ERROR in-app-9999999 [Service] authorize: org.closed.PropertyAccessException: Null value was assigned to a property [class co.domain.entity] of primitive type setter of domain.entity.

Output:

Null value was assigned to a property [class co.domain.entity] of primitive type setter of domain.entity.

isoutamo · ‎06-28-2020

Then you could try this:
| rex field=_raw ".*:(?<message>[^:]+)"

regex everything after last colon in each line

using Splunk Enterprise

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases