Splunk Search

Can we use regular expressions in lookups to match the errors in log files?

ashwinipatil198
Explorer

Hi,

I have a log file which has a set of errors
1) ORA-[0-9] errors. For eg: ORA-00054, ORA-00034,ORA-00056 etc
2) DBException
3) DEException
etc..

I have created a lookup to map the above errors to respective error_category and error_messages.

Can I have a regular expression mentioned in lookup to match every type of ORA-[0-9] errors. How will the regular expression be written in the lookup file?

Sample of lookup file:

sourcetype,filter,error_category,error_message,match,begin
LOADER,DBException.,Major,Database business exception.,1,0
LOADER,Application not working properly,Major,The configured file stores may not be present or may not have the proper rights or the other possibility is the failure of database connection.,1,0
LOADER,No space left on device,Major,Not enough space to carry out the processing.,1,0
LOADER,DEException,Major,Application exception.,1,0
LOADER,Error from House keeping component.,Critical,Error from House keeping component.,1,0
LOADER,ERROR.,Major,Error Occurred which will halt the processing.,1,0
LOADER,|ORA-[0-9]|,Major,ORA-00054 Error Occurred which will halt the processing.,1,0

Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've tried something similar and (AFAIK) lookups cannot do regex.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...