Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can't use wildcard '*Exception' cause search job falling but 'Exception' without it doesn't get any result for java.lang.ArrayIndexOutOfBoundsException instead

yuraminsk
Engager
‎07-29-2019 09:35 AM

I have a complicated request that starts like

host=*hb* Exception OR Exception: NOT whitehat NOT org.springframework.security.web.firewall.RequestRejectedException NOT WARN NOT INFO |

for narrowing search results and get the only exception lines, but It unexpectedly ignoring log lines like

2019/07/09 07:13:53.444  ERROR [ServicelayerJob] (full-Index-cronJob) Job - Caught throwable 367
java.lang.ArrayIndexOutOfBoundsException: 367
    at java.util.stream.SortedOps$SizedRefSortingSink.accept(SortedOps.java:364)
...

if I change to ... Exception OR Exception: OR ArrayIndexOutOfBoundsException ...then it works as expected. Also query *Exception OR Exception: with a wildcard works only on a short time range, and the job falls for a needed time range. How should I change my initial query for grabbing lines with ArrayIndexOutOfBoundsException and the similar one? Even simple host=*hb* Exception OR Exception: AND NOT whitehat doesn't catch a line with ArrayIndexOutOfBoundsException
Thanks.

Splunk version: 7.1.0

Tags (1)
0 Karma
Reply

jawaharas
Motivator
‎07-30-2019 03:04 AM

Is your log files parsed properly for the log events that span across multiple events?

Eg: Is below log is a single event?

 2019/07/09 07:13:53.444  ERROR [ServicelayerJob] (full-Index-cronJob) Job - Caught throwable 367
 java.lang.ArrayIndexOutOfBoundsException: 367
     at java.util.stream.SortedOps$SizedRefSortingSink.accept(SortedOps.java:364)

Also, is your timezone is different from the timestamp mentioned the log event?

0 Karma
Reply

yuraminsk
Engager
‎07-31-2019 02:33 AM

yes, it's a single event with a stack trace. Don't think that timezone affects, I'm sure that events are not restricted by time here

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...