Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extraction - Event table only pulling back one line

ryangrobbel
Explorer
‎03-05-2019 01:24 PM

Hi All,

I currently am pulling in data from an application and we are looking extract a single line that the event occurs, and put it in an events table for a dashboard. I've tried using rex and regex to no avail. A sample of this data is:

14:51:19.425 MSM:read142-USCN9360: .SocketManager$1: got request SeqNo 452 Agent AMW_PRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .MasterSocketManager$_A: doRun 0 SeqNo 452 Agent AMW_PRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .CheckNetworkService: USCN9360
14:51:19.425 MSM2: .MasterSocketManager$_A: doRun done 0 SeqNo 452 Agent AMW_PRD2 Master null service checkN
14:51:19.613 CR:read122-/172.20.240.32:63509: .SocketManager$1: got request SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpLi
stDirectory, [Ljava.lang.Object;@1367476]
14:51:19.613 CR1: .D$_A: doRun 0 SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpListDirectory, [Ljava.lang.Obje
14:51:19.613 CR1 172.20.240.32:63509: .C: invoke invokeAgent com.appworx.server.data.AxRmiServer /172.20.240.32:63509
14:51:19.613 CR1 172.20.240.32:63509: .MasterSocketManager: sendRequest 172.30.118.41:55895 SeqNo 265838 Agent FTP Master AMW_PRD2 service FTP Method ftpListDirectory [{CONNECTION_NAME=Ftp@Jde-apx511
}, /apps/jdeasq03/uc4]
14:51:19.629 MSM:read61-JDEASP05: .SocketManager$1: got request 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.Ru
ntimeException
14:51:19.629 MSM6: .MasterSocketManager$_A: doRun 0 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeExcepti
on
14:51:19.629 MSM6: .MasterSocketManager$_A: doRun done 0 265838 null null Agent error : FTP:ftpListDirectory
14:51:19.629 CR1 172.20.240.32:63509: AwE-5128
ErrorMsg: AwE-5128 Client Request Error (3/5/19 2:51 PM)
Details: invokeAgent
Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.AgentService.invoke(AgentService.java:1335)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
... 3 more
Caused by: java.lang.RuntimeException
... 5 more
AwE-5128 Client Request Error
Directory /apps/jdeasq03/uc4 does not exist.
Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: java.lang.RuntimeException
... 5 more
java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)

I've tried using the built-in regex and writing my own.

Am I missing something with this scenario? We would only want to pull back the ErrorMsg line of the event into a panel.

Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎03-05-2019 11:59 PM

You showed us the event(s) but did not say what pieces you need captured. Also, I assume that your sample is showing multiple events, each one starting with the timestamp, not one huge multi-line event, right?

0 Karma
Reply

mayurr98
Super Champion
‎03-05-2019 02:41 PM

can you share what regex you tried ? and what exactly you are trying to extract from the sample data?

Reply

damann
Communicator
‎03-05-2019 02:39 PM

What is your regex looking like?
Already tried something like:
your base search |rex (?<error_message>ErrorMsg:[^\n]+)

If this captures too much, you can try ?
your base search |rex (?<error_message>ErrorMsg:[^)]+)

Afterwards you sould have a new field called error_message you can can work with.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...