Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extraction - Event table only pulling back one line

ryangrobbel
Explorer
‎03-05-2019 01:24 PM

Hi All,

I currently am pulling in data from an application and we are looking extract a single line that the event occurs, and put it in an events table for a dashboard. I've tried using rex and regex to no avail. A sample of this data is:

14:51:19.425 MSM:read142-USCN9360: .SocketManager$1: got request SeqNo 452 Agent AMW_PRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .MasterSocketManager$_A: doRun 0 SeqNo 452 Agent AMW_PRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .CheckNetworkService: USCN9360
14:51:19.425 MSM2: .MasterSocketManager$_A: doRun done 0 SeqNo 452 Agent AMW_PRD2 Master null service checkN
14:51:19.613 CR:read122-/172.20.240.32:63509: .SocketManager$1: got request SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpLi
stDirectory, [Ljava.lang.Object;@1367476]
14:51:19.613 CR1: .D$_A: doRun 0 SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpListDirectory, [Ljava.lang.Obje
14:51:19.613 CR1 172.20.240.32:63509: .C: invoke invokeAgent com.appworx.server.data.AxRmiServer /172.20.240.32:63509
14:51:19.613 CR1 172.20.240.32:63509: .MasterSocketManager: sendRequest 172.30.118.41:55895 SeqNo 265838 Agent FTP Master AMW_PRD2 service FTP Method ftpListDirectory [{CONNECTION_NAME=Ftp@Jde-apx511
}, /apps/jdeasq03/uc4]
14:51:19.629 MSM:read61-JDEASP05: .SocketManager$1: got request 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.Ru
ntimeException
14:51:19.629 MSM6: .MasterSocketManager$_A: doRun 0 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeExcepti
on
14:51:19.629 MSM6: .MasterSocketManager$_A: doRun done 0 265838 null null Agent error : FTP:ftpListDirectory
14:51:19.629 CR1 172.20.240.32:63509: AwE-5128
ErrorMsg: AwE-5128 Client Request Error (3/5/19 2:51 PM)
Details: invokeAgent
Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.AgentService.invoke(AgentService.java:1335)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
... 3 more
Caused by: java.lang.RuntimeException
... 5 more
AwE-5128 Client Request Error
Directory /apps/jdeasq03/uc4 does not exist.
Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: java.lang.RuntimeException
... 5 more
java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)

I've tried using the built-in regex and writing my own.

Am I missing something with this scenario? We would only want to pull back the ErrorMsg line of the event into a panel.

Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎03-05-2019 11:59 PM

You showed us the event(s) but did not say what pieces you need captured. Also, I assume that your sample is showing multiple events, each one starting with the timestamp, not one huge multi-line event, right?

0 Karma
Reply

mayurr98
Super Champion
‎03-05-2019 02:41 PM

can you share what regex you tried ? and what exactly you are trying to extract from the sample data?

Reply

damann
Communicator
‎03-05-2019 02:39 PM

What is your regex looking like?
Already tried something like:
your base search |rex (?<error_message>ErrorMsg:[^\n]+)

If this captures too much, you can try ?
your base search |rex (?<error_message>ErrorMsg:[^)]+)

Afterwards you sould have a new field called error_message you can can work with.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...