Splunk Search
Highlighted

Field Extraction - Event table only pulling back one line

Explorer

Hi All,

I currently am pulling in data from an application and we are looking extract a single line that the event occurs, and put it in an events table for a dashboard. I've tried using rex and regex to no avail. A sample of this data is:

14:51:19.425 MSM:read142-USCN9360: .SocketManager$1: got request SeqNo 452 Agent AMWPRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .MasterSocketManager$
A: doRun 0 SeqNo 452 Agent AMWPRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .CheckNetworkService: USCN9360
14:51:19.425 MSM2: .MasterSocketManager$
A: doRun done 0 SeqNo 452 Agent AMWPRD2 Master null service checkN
14:51:19.613 CR:read122-/172.20.240.32:63509: .SocketManager$1: got request SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpLi
stDirectory, [Ljava.lang.Object;@1367476]
14:51:19.613 CR1: .D$
A: doRun 0 SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpListDirectory, [Ljava.lang.Obje
14:51:19.613 CR1 172.20.240.32:63509: .C: invoke invokeAgent com.appworx.server.data.AxRmiServer /172.20.240.32:63509
14:51:19.613 CR1 172.20.240.32:63509: .MasterSocketManager: sendRequest 172.30.118.41:55895 SeqNo 265838 Agent FTP Master AMWPRD2 service FTP Method ftpListDirectory [{CONNECTIONNAME=Ftp@Jde-apx511
}, /apps/jdeasq03/uc4]
14:51:19.629 MSM:read61-JDEASP05: .SocketManager$1: got request 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.Ru
ntimeException
14:51:19.629 MSM6: .MasterSocketManager$A: doRun 0 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeExcepti
on
14:51:19.629 MSM6: .MasterSocketManager$
A: doRun done 0 265838 null null Agent error : FTP:ftpListDirectory
14:51:19.629 CR1 172.20.240.32:63509: AwE-5128
ErrorMsg: AwE-5128 Client Request Error (3/5/19 2:51 PM)
Details: invokeAgent
Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.AgentService.invoke(AgentService.java:1335)
at com.appworx.agent.AgentSocketManager$A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
... 3 more
Caused by: java.lang.RuntimeException
... 5 more
AwE-5128 Client Request Error
Directory /apps/jdeasq03/uc4 does not exist.
Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$
A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: java.lang.RuntimeException
... 5 more
java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)

I've tried using the built-in regex and writing my own.

Am I missing something with this scenario? We would only want to pull back the ErrorMsg line of the event into a panel.

Thanks!

0 Karma
Highlighted

Re: Field Extraction - Event table only pulling back one line

Communicator

What is your regex looking like?
Already tried something like:
your base search |rex (?<error_message>ErrorMsg:[^\n]+)

If this captures too much, you can try ?
your base search |rex (?<error_message>ErrorMsg:[^)]+)

Afterwards you sould have a new field called error_message you can can work with.

0 Karma
Highlighted

Re: Field Extraction - Event table only pulling back one line

SplunkTrust
SplunkTrust

can you share what regex you tried ? and what exactly you are trying to extract from the sample data?

Highlighted

Re: Field Extraction - Event table only pulling back one line

Esteemed Legend

You showed us the event(s) but did not say what pieces you need captured. Also, I assume that your sample is showing multiple events, each one starting with the timestamp, not one huge multi-line event, right?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.