Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: searching log text that contains a line break
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sample text from a log that I'm searching:
"store license for Store 123456
2022-03-27 02:01:59,649 [XNIO-2 task-3] ERROR"
I'm trying to search for, and return, a store number that's associated with a particular error. The following search successfully returns the store number (and count):
index=* host="log*" "store license for" | rex field=_raw "Store\s(?P<storenumber>.*)" | stats count by storenumberBut when I try to search for the storenumber along with error string that follows it, I get "no results found." Here's the search i'm trying:
index=* host="log*" "store license for" | rex field=_raw "Store\s(?P<storenumber>.*)[\r\n]+2022\-03\-27\s02:01:59,649\s\[XNIO-2\stask-3\]\sERROR" | stats count by storenumber
Splunk doesn't seem to like the newline character. I've tried \n and [r\n\] and others, but all with the same incorrect results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll give it a try today, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there are two ways to do this.
1st way :
put the specific error in the main search and you will find the all the storenumber counts with that error.
index=* host="log*" "store license for" "Error" | rex field=_raw "Store\s(?P<storenumber>.*)" | stats count by storenumber
2nd way:
Extract the error from the raw data and display/filter in the statistics.
index=* host="log*" "store license for" | rex field=_raw "Store\s*(?P<storenumber>\d+)\n*.*ERROR(?<Error>.*)" | stats count by storenumber Error
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try something like that where all the data is on one line in the logs, I get results. When the data is on separate lines in the logs, I get no results in my search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That "should" have worked, but didn't. I still get "no results found." For some reason, it doesn't seem to recognize (or acknowledge) the \n.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think a slightly tweaked version of this will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think a slightly tweaked version of this will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are two examples from logs...
store license for Store 123456
2022-03-27 02:01:59,649 [XNIO-2 task-3] ERROR hostnane is null
store license for Store 234567
2022-03-27 00:02:22,566 [XNIO-2 task-7] INFO com.
I want to find only store numbers that are followed by the error text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure, but the line break in the log seems to be messing me up:
"store license for Store 123456
2022-03-27 02:01:59,649 [XNIO-2 task-3] ERROR"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to find every occurrence of the store number in the logs that is followed by a specific error text. That "ERROR" in my sample is just the first word in the error string. There are other occurrences of that store number in the logs, but I want to find only those that are followed by the specific error text. I know that I'll also have to deal with the date/time stamp, but for now I'm just trying to figure out to write the search query to find that hardcoded value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can put the specific error message in your base search as filter
index=* host="log*" "store license for" "<your hard coded error message>" | rex field=_raw "Store\s(?P<storenumber>.*)" | stats count by storenumber
Example:
index=* host="log*" "store license for" "ERROR hostnane is null" | rex field=_raw "Store\s(?P<storenumber>.*)" | stats count by storenumber
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to find count by storenumber and error, like this?
index=* host="log*" "store license for" | rex field=_raw "Store\s(?P<storenumber>.*)" | rex "\](?<Error>.+)"| stats count by storenumber Error
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
