Dear All,
I have oracle error data i need to extract some fields from it here is the data
[EntID: ] 17-Jun-2014, 07:55:39:586, [10], UserId: , Exception DetailsMessage
ORA-1034: ORACLE not available
Stack Trace
[EnterpiseID: ] 17-Jun-2014, 07:55:25:373, [11], UserId: , Exception DetailsMessage
ORA-28000: the account is locked
Stack Trace
Here i neeed to extract ORA-1034: ORACLE not available and ORA-28000: the account is locked but i am not able to get the proper regex for this.
Thanks
Gajanan
Hi gajananh999,
try something like this:
your base search to get the events | rex field=_raw "(?<myOra>ORA-.+)" | table myOra
if this works for you, you can set it up as automated field extraction in Splunk UI.
Be aware that for the automated field extraction the regex must be used in a different way, so something like this should work:
(?P<myOra>ORA-.+)
cheers, MuS
Hi gajananh999,
try something like this:
your base search to get the events | rex field=_raw "(?<myOra>ORA-.+)" | table myOra
if this works for you, you can set it up as automated field extraction in Splunk UI.
Be aware that for the automated field extraction the regex must be used in a different way, so something like this should work:
(?P<myOra>ORA-.+)
cheers, MuS
try this:
(?P<FIELDNAME>ORA-.+)
I don't have a Splunk UI handy, but in the field extraction UI you can edit the regex. simply paste ORA-.+
in there and you should be fine.
Hello Mus
Sorry I am not getting (?i)(?P
ORA-1034: ORACLE not available
ORA-28000: the account is
this result which is giving wrong result and (?
see my update and feel free to accept the answer now 😉
Thanks for reply This is working perfectly fine when we do using search but when trying to do using field extractor with this regex \s(?