Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting Messages which may be found in event

nkavouris
Path Finder
‎07-15-2024 02:02 PM

I have a search yielding the following result

"message":"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}"

The value in parenthesis will be blank if no error is detected, and can vary depending on the type of error detected. Possible values include: E1, E2, E3, E....,E21

 I would like to extract the value within the parenthesis and note the first time it occurred, and place these results into a table

How I can create a query which will identify the error code and place it and the time it occured into a table?

 

 

Labels (2)
Labels
0 Karma
Reply

nkavouris
Path Finder
‎07-16-2024 07:52 AM

You are correct in assuming this is JSON data, message key is the top node, and your rex input works nicely.

However, when I try to chart this the contains almost entirely empty error_code fields, some insight on how to remove the empty error code fields and create a relevant chart would be appreciated

spath|
rex field=message "ErrorCode\((?<error_code>[^\)]+)"| 
chart values(error_code) by _time

 

Preview file
39 KB
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-15-2024 03:13 PM

First, thank you for illustrating data, and explain your requirement clearly.  Second, the illustration appears to be a fragment of a valid JSON object.  Is this correct?  Is the "message" key a top node in raw event?  Splunk should have given you a field "message" with the following value (no special instruction required):

message
gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}

Is this correct?

Your problem is a simple one, but illustrating data correctly will save you lots of trouble in the future.

Provided that top-node "message" field exists, all you need to do is

 

| rex field=message "ErrorCode\((?<error_code>[^\)]+)"

 

This is an emulation of a raw event that would give you that message field without instruction

 

| makeresults
| eval _raw = "{\"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\"}"
| spath
``` data emulation above ```

 

Play with it and compare with real data.  Output using this emulation is

_time_rawerror_codemessage
2024-07-15 15:05:20{"message":"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}"}E21gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}

 

Hope this helps

0 Karma
Reply

nkavouris
Path Finder
‎07-16-2024 08:05 AM

if there is another key, serial_number, how could I add this to the chart?

rex field=message "ErrorCode\((?<error_code>[^\)]+)"| 
search error_code=*|
chart values(error_code), values(serial_number) by _time

I would like to show the error code, the time , and the serial number associated with the error code 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-16-2024 03:22 PM

serial_number would have already been extracted, too.  You do whatever is needed.  But I do not see a chart of two values() function useful in this case.  Maybe you mean to have something like

_time
E21
E25
2024-07-15
51A81FC
51A86FC
 
2024-07-16 51A81FC

In other words, get serial_numbers according to error_code?  All you need is something like

 

<your search> "ErrorCode(*)"
| rex field=message "ErrorCode\((?<error_code>[^\)]+)"
| timechart span=1d values(serial_number) by error_code

 

Here, I propose that you restrict events to those containing error code in index search rather than in another search line.

Or, if you want to group error_codes on individual serial_number, like

_time51A81FC51A86FC
2024-07-15E21E21
2024-07-16E25 

For this, do

 

<your search> "ErrorCode(*)"
| rex field=message "ErrorCode\((?<error_code>[^\)]+)"
| timechart span=1d values(error_code) by serial_number

 

Does this make sense?

Here is an emulation to get the above results.  Play with it and compare with real data

 

| makeresults
| eval data = mvappend("{\"time\": \"2024-07-15\", \"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\", \"serial_number\": \"51A86FC\"}",
    "{\"time\": \"2024-07-15\", \"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\", \"serial_number\": \"51A81FC\"}",
    "{\"time\": \"2024-07-16\", \"message\":\"gimlet::someotherstuff: State { target: whatever, state: whaever, some other messages, errors: ErrorCode(E25)}\", \"serial_number\": \"51A81FC\"}")
| mvexpand data
| rename data as _raw
| spath
| eval _time = strptime(time, "%F")
``` the above emulates
<your search> "ErrorCode(*)"
```

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...