Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extracting Messages which may be found in even...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting Messages which may be found in event
I have a search yielding the following result
"message":"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}"
The value in parenthesis will be blank if no error is detected, and can vary depending on the type of error detected. Possible values include: E1, E2, E3, E....,E21
I would like to extract the value within the parenthesis and note the first time it occurred, and place these results into a table
How I can create a query which will identify the error code and place it and the time it occured into a table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct in assuming this is JSON data, message key is the top node, and your rex input works nicely.
However, when I try to chart this the contains almost entirely empty error_code fields, some insight on how to remove the empty error code fields and create a relevant chart would be appreciated
spath|
rex field=message "ErrorCode\((?<error_code>[^\)]+)"|
chart values(error_code) by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, thank you for illustrating data, and explain your requirement clearly. Second, the illustration appears to be a fragment of a valid JSON object. Is this correct? Is the "message" key a top node in raw event? Splunk should have given you a field "message" with the following value (no special instruction required):
| message |
| gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)} |
Is this correct?
Your problem is a simple one, but illustrating data correctly will save you lots of trouble in the future.
Provided that top-node "message" field exists, all you need to do is
| rex field=message "ErrorCode\((?<error_code>[^\)]+)"
This is an emulation of a raw event that would give you that message field without instruction
| makeresults
| eval _raw = "{\"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\"}"
| spath
``` data emulation above ```
Play with it and compare with real data. Output using this emulation is
| _time | _raw | error_code | message |
| 2024-07-15 15:05:20 | {"message":"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}"} | E21 | gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)} |
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if there is another key, serial_number, how could I add this to the chart?
rex field=message "ErrorCode\((?<error_code>[^\)]+)"|
search error_code=*|
chart values(error_code), values(serial_number) by _time
I would like to show the error code, the time , and the serial number associated with the error code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
serial_number would have already been extracted, too. You do whatever is needed. But I do not see a chart of two values() function useful in this case. Maybe you mean to have something like
| _time | E21 | E25 |
| 2024-07-15 | 51A81FC 51A86FC | |
| 2024-07-16 | 51A81FC |
In other words, get serial_numbers according to error_code? All you need is something like
<your search> "ErrorCode(*)"
| rex field=message "ErrorCode\((?<error_code>[^\)]+)"
| timechart span=1d values(serial_number) by error_code
Here, I propose that you restrict events to those containing error code in index search rather than in another search line.
Or, if you want to group error_codes on individual serial_number, like
| _time | 51A81FC | 51A86FC |
| 2024-07-15 | E21 | E21 |
| 2024-07-16 | E25 |
For this, do
<your search> "ErrorCode(*)"
| rex field=message "ErrorCode\((?<error_code>[^\)]+)"
| timechart span=1d values(error_code) by serial_number
Does this make sense?
Here is an emulation to get the above results. Play with it and compare with real data
| makeresults
| eval data = mvappend("{\"time\": \"2024-07-15\", \"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\", \"serial_number\": \"51A86FC\"}",
"{\"time\": \"2024-07-15\", \"message\":\"gimlet::hardware_controller: State { target: Idle, state: Idle, cavity: 42400, fuel: 0, shutdown: None, errors: ErrorCode(E21)}\", \"serial_number\": \"51A81FC\"}",
"{\"time\": \"2024-07-16\", \"message\":\"gimlet::someotherstuff: State { target: whatever, state: whaever, some other messages, errors: ErrorCode(E25)}\", \"serial_number\": \"51A81FC\"}")
| mvexpand data
| rename data as _raw
| spath
| eval _time = strptime(time, "%F")
``` the above emulates
<your search> "ErrorCode(*)"
```
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
