Splunk Search

Extract Class Names that created the exceptions from application server logs stacktrace

jagadish85
Path Finder

Hi,

I want to extract the class Names which created the exceptions from the application server logs stacktrace.

For Eg: event with below stacktrace
Example 1
Caused by: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.RangeCheck(ArrayList.java:572)
at java.util.ArrayList.get(ArrayList.java:347)
at com.sun.xml.bind.util.ProxyListImpl.get(ProxyListImpl.java:189)
at com.mypkg.test.data.IAMGetTasksData.getOwner(IAMGetTasksData.java:1125)
at com.mypkg.test.data.IAMGetTasksData.getOwnerEmpNumber(IAMGetTasksData.java:1287)


at com.ibm._jsp._SPIAMCustListView._jspService(_SPIAMCustListView.java:878)
at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:87)

I want to extract the class - com.mypkg.test.data.IAMGetTasksData which created IndexOutOfBoundsException

Example 2:
java.net.SocketTimeoutException: Read timed out
at org.apache.axis.AxisFault.makeFault(AxisFault.java:129)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:131)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
at org.apache.axis.client.Call.invoke(Call.java:2553)
at org.apache.axis.client.Call.invoke(Call.java:2248)
at org.apache.axis.client.Call.invoke(Call.java:2171)
at org.apache.axis.client.Call.invoke(Call.java:1691)
at com.mypkg.HttpClient.connectTo(HttpClient.java:110)
at com.mypkg.NetworkCall.call(NetworkCall.java:110)
at com.mypkg.GetCLD.main(GetCLD.java:145)

Extract Class com.mypkg.HttpClient

`Desired result:

ClassName Exception Count
com.mypkg.test.data.IAMGetTasksData IndexOutOfBoundsException 3
com.mypkg.HttpClient SocketTimeOutException 1
`
I am able to extract the Exceptions(eg:IndexOutOfBoundException,SocketTimeoutException) through regex:

Please suggest any approach or solutions to achieve this.

Thanks
Jagadish

0 Karma

jeremiahc4
Builder

I was able to add this rex command to my search to catch it based on my known package path. This works as long as your path is always the same anyway. In my case it isn't always the same.

rex "at com.mycompany.mypkg.(?P<exceptionClass>[\w\.]*)"
0 Karma

somesoni2
Revered Legend

User max_match=0 to match all available values.

0 Karma

jeremiahc4
Builder

I believe there's a max match option for rex... forget the exact syntax (max_match=3 perhaps?), but that might work.

0 Karma

jagadish85
Path Finder

Hi Jeremiah,

Thanks for your inputs . But the above regular expression is giving me only the first line in the event that satisfies the regex.

From the stack trace i have to get all the 3 with my package name .

at com.mypkg.HttpClient.connectTo(HttpClient.java:110)
at com.mypkg.NetworkCall.call(NetworkCall.java:110)
at com.mypkg.GetCLD.main(GetCLD.java:145)

Current regex giving me only first line
at com.mypkg.HttpClient.connectTo(HttpClient.java:110)

0 Karma

jeremiahc4
Builder

I've attempted this also in the past with no luck so am interested in what you find.

The challenge is that it's not always the same number of lines down the stack right? You appear to be skipping past any Apache/Sun/Java standard stuff to the first instance of your own code. Does your code pkg always look the same? if so, you could look for that as the start of your extraction "at com.mypkg.(?P\w*)"

0 Karma

bsayatovic
Path Finder

I've been contemplating something similar. I wanted to make a hash of the stack, possibly excluding line numbers. There could be multiple callers into a problematic method, and I'd like to know each problematic path into that method distinctly. But I'm not sure how to filter the event down to what I want. Once I do, I know I could do an md5() on it to get a consistent hash.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...