Splunk Search

Exception matching

prad18
Path Finder

Hi
i'm currently using following regex to match different types of exception.

(?i:[^.]+.)*(?P[a-zA-Z]+Exception)

sample log

06 Sep 2013 18:59:59,924 [WebContainer : 4] ERROR - Remote Exception while updating CSA Details

java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.RemoteException: ; nested exception is:
org.springframework.jdbc.UncategorizedSQLException: CallableStatementCallb
``ack; uncategorized SQLException for SQL [{call
PX_CO_AC_AGREEMENT_MASTER_PG.spt_update(?, ?, ?, ?, ?, ?)}]; SQL state [72000]; error code

[20002]; ORA-20002: Record has been modified since last retrieved - Resubmit transaction for

parameter(s) p_acag_agreement_id_in values of which are => 1463755

ORA-06512: at "ACCOUNT_OWNER.PX_CO_AC_AGREEMENT_MASTER_PG", line 91

ORA-06510: PL/SQL: unhandled user-defined exception

ORA-06512: at line 1

; nested exception is java.sql.SQLException: ORA-20002: Record has been modified since last

retrieved - Resubmit transaction for parameter(s) p_acag_agreement_id_in values of which are

=> 1463755
ORA-06512: at "ACCOUNT_OWNER.PX_CO_AC_AGREEMENT_MASTER_PG", line 91

ORA-06510: PL/SQL: unhandled user-defined exception

ORA-06512: at line 1

the regex is matching SQLException(Bold) but i need match UncategorizedSQLException(Bold) once from the above log entry.

i tried like even like this (?i:[^.]+.)*(?P[a-zA-Z]+Exception|UncategorizedSQLException)but it was not successfull.

Any help on this.

laserval
Communicator

As suggested in @MuS answer, try the different values in a regex tester (you could also use the built-in one in Splunk Web).

I think you need to consider some other things, though:

  • What are you going to use this for? In your example log, you are extracting two values from the same log event. One is the actual exception name and one is part of the exception message (... ack; uncategorized SQLException for SQL ...). Additionally, the values are not the first exceptions mentioned in the event.
  • Do you only want actual exceptions? In that case, consider that some exceptions might not be called Exception. You might need to detect exceptions based on position, or by filtering your results to only events that should mention exceptions.
  • Some exceptions might have the same class names, but different fully-qualified names (e.g. com.foo.framework.net.http.NotFoundException and org.bar.gofish.hand.NotFoundException). If you're doing statistics based on these extractions, that could give you bad results.

laserval
Communicator

How can i do this, any example or doc?

You probably found a solution, but: rex max_match=0 ... will extract as many values as there are, and make the field multivalued. See http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/rex

0 Karma

prad18
Path Finder

You could have an extraction that creates a multivalue field.

How can i do this, any example or doc?

0 Karma

laserval
Communicator

I need to extract one exception from each event and show the count in the form of chat.
The above example log is one event in which initially I extracted java.rmi.ServerException-> "Server exception"

You could have an extraction that creates a multivalue field. Then you could filter out ServerException and other generic ones when doing the stats and chart, so your chart can include any new exceptions that turn up.

Any suggestion on how to tackle this problem.

Extract the whole name, then categorize afterwards, e.g. stats count(eval(match(exception, "SQL"))) as SQLExceptions.

0 Karma

prad18
Path Finder

hi laserval,
I need to extract one exception from each event and show the count in the form of chat.
The above example log is one event in which initially I extracted java.rmi.ServerException-> "Server exception" but now I've to match org.springframework.jdbc.UncategorizedSQLException -> "UncategorizedSQLException" instead of Server exception.

Yeah last point is valid one there could be different fully-qualified names. Any suggestion on how to tackle this problem.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi prad18

quick one would be like this:

 (?<test>(\sSQL|(\w+\.){3}\w+SQL)+Exception)

this matches org.springframework.jdbc.UncategorizedSQLException and SQLException
You can test your regex by using this nice online regex tester

hope this helps ...

cheers, MuS

prad18
Path Finder

while posting comments slashes are being removed. I made typo with rex command that's why it was not working then i added assetion like ((w+.){2,6})(?w+b)(?<=Exception|NoClientInfoFound|DataAccessResourceFailureException) and it matched all exceptions.

Thanks a lot for help MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi sure it does, you must include \ like this
((\w+\.){2,6})(?<test>\w+\b)
it will create new fields called test

0 Karma

prad18
Path Finder

Hi MuS,
((w+.){2,6})(?w+b) is not matching any of the above error's last word. 😞

0 Karma

MuS
SplunkTrust
SplunkTrust

well that was what you requested in first place 😉
To match the last word in any of the above provided errors you could use something like this:

((\w+\.){2,6})(?<test>\w+\b)

cheers

prad18
Path Finder

It is matching only org.springframework.jdbc.UncategorizedSQLException, SQLException these

But actually I need to match following
An Error has occured for com.marsh.csa.exception.NoClientInfoFound:-->NoClientInfoFound
handleException():com.marsh.framework.core.exception.MarshException:-->MarshException
Found Exception, class:java.lang.NullPointerException-->NullPointerException
org.springframework.dao.DataAccessResourceFailureException-->DataAccessResourceFailureException
org.springframework.jdbc.UncategorizedSQLException-->UncategorizedSQLException

Just last words not entire package name.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...