Splunk Search

Extract Class Names that created the exceptions from application server logs stacktrace

jagadish85
Path Finder

Hi,

I want to extract the class Names which created the exceptions from the application server logs stacktrace.

For Eg: event with below stacktrace
Example 1
Caused by: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.RangeCheck(ArrayList.java:572)
at java.util.ArrayList.get(ArrayList.java:347)
at com.sun.xml.bind.util.ProxyListImpl.get(ProxyListImpl.java:189)
at com.mypkg.test.data.IAMGetTasksData.getOwner(IAMGetTasksData.java:1125)
at com.mypkg.test.data.IAMGetTasksData.getOwnerEmpNumber(IAMGetTasksData.java:1287)


at com.ibm._jsp._SPIAMCustListView._jspService(_SPIAMCustListView.java:878)
at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:87)

I want to extract the class - com.mypkg.test.data.IAMGetTasksData which created IndexOutOfBoundsException

Example 2:
java.net.SocketTimeoutException: Read timed out
at org.apache.axis.AxisFault.makeFault(AxisFault.java:129)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:131)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
at org.apache.axis.client.Call.invoke(Call.java:2553)
at org.apache.axis.client.Call.invoke(Call.java:2248)
at org.apache.axis.client.Call.invoke(Call.java:2171)
at org.apache.axis.client.Call.invoke(Call.java:1691)
at com.mypkg.HttpClient.connectTo(HttpClient.java:110)
at com.mypkg.NetworkCall.call(NetworkCall.java:110)
at com.mypkg.GetCLD.main(GetCLD.java:145)

Extract Class com.mypkg.HttpClient

`Desired result:

ClassName Exception Count
com.mypkg.test.data.IAMGetTasksData IndexOutOfBoundsException 3
com.mypkg.HttpClient SocketTimeOutException 1
`
I am able to extract the Exceptions(eg:IndexOutOfBoundException,SocketTimeoutException) through regex:

Please suggest any approach or solutions to achieve this.

Thanks
Jagadish

0 Karma

jeremiahc4
Builder

I was able to add this rex command to my search to catch it based on my known package path. This works as long as your path is always the same anyway. In my case it isn't always the same.

rex "at com.mycompany.mypkg.(?P<exceptionClass>[\w\.]*)"
0 Karma

somesoni2
Revered Legend

User max_match=0 to match all available values.

0 Karma

jeremiahc4
Builder

I believe there's a max match option for rex... forget the exact syntax (max_match=3 perhaps?), but that might work.

0 Karma

jagadish85
Path Finder

Hi Jeremiah,

Thanks for your inputs . But the above regular expression is giving me only the first line in the event that satisfies the regex.

From the stack trace i have to get all the 3 with my package name .

at com.mypkg.HttpClient.connectTo(HttpClient.java:110)
at com.mypkg.NetworkCall.call(NetworkCall.java:110)
at com.mypkg.GetCLD.main(GetCLD.java:145)

Current regex giving me only first line
at com.mypkg.HttpClient.connectTo(HttpClient.java:110)

0 Karma

jeremiahc4
Builder

I've attempted this also in the past with no luck so am interested in what you find.

The challenge is that it's not always the same number of lines down the stack right? You appear to be skipping past any Apache/Sun/Java standard stuff to the first instance of your own code. Does your code pkg always look the same? if so, you could look for that as the start of your extraction "at com.mypkg.(?P\w*)"

0 Karma

bsayatovic
Path Finder

I've been contemplating something similar. I wanted to make a hash of the stack, possibly excluding line numbers. There could be multiple callers into a problematic method, and I'd like to know each problematic path into that method distinctly. But I'm not sure how to filter the event down to what I want. Once I do, I know I could do an md5() on it to get a consistent hash.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...