Splunk Search

Capture groups extracting empty values from log messages

search_in_splun
Explorer

Requesting help with search query. I have application logs in Splunk like,

  • 2024-04-02T12:26:02.244-04:00,severity=DEBUG,thread=main,logger=org.apache.catalina.core.NamingContextListener,{},Creating JNDI naming context
  • 2024-04-02T12:26:02.118-04:00,severity=DEBUG,thread=main,logger=org.apache.catalina.core.NamingContextListener,{}, Adding resource ref UserDatabase ResourceRef[className=org.apache.catalina.UserDatabase,factoryClassLocation=null,factoryClassName=org.apache.naming.factory.ResourceFactory,{type=description,content=User database that can be updated and saved},{type=scope,content=Shareable},{type=auth,content=Container},{type=singleton,content=true},{type=factory,content=org.apache.catalina.users.MemoryUserDatabaseFactory},{type=pathname,content=conf/tomcat-users.xml}]

And I'm using following query to separate different sections of the message,

  • index=my_app_index AND source="**/my-app-service.log" AND sourcetype="app_v1"|rex="(?<mydatetime>^\S*)\,severity=(?<severity>\S*)\,thread=(?<thread>\S*)\,logger=(?<logger>\S*)\,\{\}\,(?<logmsg>(.)*)"|table mydatetime,logger,thread,_raw,logmsg|rename logmsg AS MESSAGE

What I see is,

  • column mydatetime and logmsg(MESSAGE) are empty.

What I expect is,

  • column mydatetime contain initial date-time, and logmsg(MESSAGE)  contain the last message part
mydatetimeloggerthreadlogmsg
2024-04-02T12:26:02.244-04:00org.apache.catalina.core.NamingContextListenermainCreating JNDI naming context
2024-04-02T12:26:02.118-04:00org.apache.catalina.core.NamingContextListenermainAdding resource ref UserDatabase ResourceRef[className=org.apache.catalina.UserDatabase,factoryClassLocation=null,factoryClassName=org.apache.naming.factory.ResourceFactory,{type=description,content=User database that can be updated and saved},{type=scope,content=Shareable},{type=auth,content=Container},{type=singleton,content=true},{type=factory,content=org.apache.catalina.users.MemoryUserDatabaseFactory},{type=pathname,content=conf/tomcat-users.xml}]
Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You don't need the = after the rex

 

| rex "(?<mydatetime>^\S*)\,severity=(?<severity>\S*)\,thread=(?<thread>\S*)\,logger=(?<logger>\S*)\,\{\}\,(?<logmsg>.*)"

Updated to remove brackets in the logmsg pattern

 

View solution in original post

search_in_splun
Explorer

Yes indeed it does solve the issue, but now there's a new issue

Streamed search execute failed because: Error in 'rex' command: regex="(?<mydatetime>^\S*)\,severity=(?<severity>\S*)\,thread=(?<thread>\S*)\,logger=(?<logger>\S*)\,\{\}\,(?<logmsg>(.)*)" has exceeded the configured depth_limit, consider raising the value in limits.conf..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex works with the sample events and is much more efficient according to regex101.com.

| rex "(?<mydatetime>[^,]+),severity=(?<severity>[^,]+),thread=(?<thread>[^,]+),logger=(?<logger>[^,]+),\{\},(?<logmsg>.*)"

 

---
If this reply helps you, Karma would be appreciated.

search_in_splun
Explorer

And this rex doesn't produce any error

ITWhisperer
SplunkTrust
SplunkTrust

Again, what's with the = after the regex? Is this just a typo?

0 Karma

search_in_splun
Explorer

I re-checked by putting the rex you've provided once again without the equal(=) symbol, but surprisingly the error message comes back with words 'regex='

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't need the = after the rex

 

| rex "(?<mydatetime>^\S*)\,severity=(?<severity>\S*)\,thread=(?<thread>\S*)\,logger=(?<logger>\S*)\,\{\}\,(?<logmsg>.*)"

Updated to remove brackets in the logmsg pattern

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...