- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract first 3 lines of raw logs and group
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
My current query for splunk dashboard is as:
........| eval ErrorMsg=_raw | stats count by Application, ErrorMsg | sort -count | table count, Application, ErrorMsg
My able looks like this:
| count | Application | ErrorMsg |
| 5 | abc | {"severity" : "ERROR", "exception" : "xyz abc asd......."........"time" : "12:00:00"><there are mutiple key value pairs with data in multiple lines>........} |
| 10 | abc | {"severity" : "ERROR", "exception" : "xyz abc asd......."........."time" : "12:01:00"<there are mutiple key value pairs with data in multiple lines>........} |
How can I get table like this:
| 15 | abc | "exception" : "xyz abc asd |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | rex "exception\"\s?:\s?\"(?<ErrorMsg>[^\"]+)\"" | stats count by Application, ErrorMsg | sort -count | table count, Application, ErrorMsg- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @alex5441,
Please try below;
| rex "exception\"\s:\s\"(?<ErrorMsg>.*?)\""
| stats count by Application ErrorMsg
| sort -count
| table count, Application, ErrorMsg- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @alex5441,
You can extract the values for the field ErrorMsg using rex command.
........| rex "(?<ErrorMsg>\"exception\"\s:\s\"\w+\s\w+\w\s\w+)" | stats count by Application, ErrorMsg | sort -count | table count, Application, ErrorMsg
If this reply helps you, a like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply but Nothing changed on table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated my answer, check now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi manjunathmet,
Nothing changed agian. However I think if I get everything extracted value of exception Key that would suffice my requirement.
{"Severity": "ERROR", "exception":"..................................", "logger":"....................."}
In above pattern I am able to extract with regex: exception":"(.*?)"
But I have to use it as rex in my SPL which needs escaping special chars which I am not sure about.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | rex "exception\"\s?:\s?\"(?<ErrorMsg>[^\"]+)\"" | stats count by Application, ErrorMsg | sort -count | table count, Application, ErrorMsg
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
