Splunk Search

Extract Class Names that created the exceptions from application server logs stacktrace

jagadish85
Path Finder

Hi,

I want to extract the class Names which created the exceptions from the application server logs stacktrace.

For Eg: event with below stacktrace
Example 1
Caused by: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.RangeCheck(ArrayList.java:572)
at java.util.ArrayList.get(ArrayList.java:347)
at com.sun.xml.bind.util.ProxyListImpl.get(ProxyListImpl.java:189)
at com.mypkg.test.data.IAMGetTasksData.getOwner(IAMGetTasksData.java:1125)
at com.mypkg.test.data.IAMGetTasksData.getOwnerEmpNumber(IAMGetTasksData.java:1287)


at com.ibm._jsp._SPIAMCustListView._jspService(_SPIAMCustListView.java:878)
at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:87)

I want to extract the class - com.mypkg.test.data.IAMGetTasksData which created IndexOutOfBoundsException

Example 2:
java.net.SocketTimeoutException: Read timed out
at org.apache.axis.AxisFault.makeFault(AxisFault.java:129)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:131)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
at org.apache.axis.client.Call.invoke(Call.java:2553)
at org.apache.axis.client.Call.invoke(Call.java:2248)
at org.apache.axis.client.Call.invoke(Call.java:2171)
at org.apache.axis.client.Call.invoke(Call.java:1691)
at com.mypkg.HttpClient.connectTo(HttpClient.java:110)
at com.mypkg.NetworkCall.call(NetworkCall.java:110)
at com.mypkg.GetCLD.main(GetCLD.java:145)

Extract Class com.mypkg.HttpClient

`Desired result:

ClassName Exception Count
com.mypkg.test.data.IAMGetTasksData IndexOutOfBoundsException 3
com.mypkg.HttpClient SocketTimeOutException 1
`
I am able to extract the Exceptions(eg:IndexOutOfBoundException,SocketTimeoutException) through regex:

Please suggest any approach or solutions to achieve this.

Thanks
Jagadish

0 Karma

jeremiahc4
Builder

I was able to add this rex command to my search to catch it based on my known package path. This works as long as your path is always the same anyway. In my case it isn't always the same.

rex "at com.mycompany.mypkg.(?P<exceptionClass>[\w\.]*)"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

User max_match=0 to match all available values.

0 Karma

jeremiahc4
Builder

I believe there's a max match option for rex... forget the exact syntax (max_match=3 perhaps?), but that might work.

0 Karma

jagadish85
Path Finder

Hi Jeremiah,

Thanks for your inputs . But the above regular expression is giving me only the first line in the event that satisfies the regex.

From the stack trace i have to get all the 3 with my package name .

at com.mypkg.HttpClient.connectTo(HttpClient.java:110)
at com.mypkg.NetworkCall.call(NetworkCall.java:110)
at com.mypkg.GetCLD.main(GetCLD.java:145)

Current regex giving me only first line
at com.mypkg.HttpClient.connectTo(HttpClient.java:110)

0 Karma

jeremiahc4
Builder

I've attempted this also in the past with no luck so am interested in what you find.

The challenge is that it's not always the same number of lines down the stack right? You appear to be skipping past any Apache/Sun/Java standard stuff to the first instance of your own code. Does your code pkg always look the same? if so, you could look for that as the start of your extraction "at com.mypkg.(?P\w*)"

0 Karma

bsayatovic
Path Finder

I've been contemplating something similar. I wanted to make a hash of the stack, possibly excluding line numbers. There could be multiple callers into a problematic method, and I'd like to know each problematic path into that method distinctly. But I'm not sure how to filter the event down to what I want. Once I do, I know I could do an md5() on it to get a consistent hash.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...