Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extraction

shivam_j
New Member
‎11-19-2019 07:44 AM

Hi All, I want to extract the log to be extracted from error message till : message : , but not getting it, I have tried few queries but I am not getting the desired output:

error message System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: TimeoutChecklistExecutionResultHandler.cs:line 293 : message : {
Please suggest what query should I choose.
PS: | rex ".(Asterisk)error message (?.(Asterisk)) : message : .*" is not working

0 Karma
Reply

dindu
Contributor
‎11-19-2019 12:12 PM

Hi Shivam,

We could use regexes to extract the required values.
All the answers given above will give the desired results.However, it is advisable to achieve in minimum steps and minimum latency.
Otherwise it will have an impact on performance.

You could check your regex in https://regex101.com/ and look on the top middle to see the no of steps iterated and time consumed.
Its better not to include too much identifier for matching, as it will impact the performance.

I would suggest to go with the below regex which only took 46 steps- considering the key identifiers to be the words error message and message.
Your overall query becomes .

|Your_search
|rex field = _raw  "error\smessage(?P<exception_message>.*)message"
| table exception_message

Please accept and upvote the answer if this helped you.
Happy Splunking!!

Reply

shivam_j
New Member
‎11-19-2019 11:51 PM

Hi Dindu, unfortunately, the log already contains 'message' keyword in between (which i skipped in the log i mentioned in the que. otherwise it would get long). So, this won't work. Thanks for the answer bdw.

0 Karma
Reply

Anantha123
Communicator
‎11-19-2019 10:36 AM

Hi Try this

| rex field=_raw "error\smessage\s(?P<ErrorMessage>.*)\s:\smessage\s" | table ErrorMessage

Reply

uagrawal_splunk
Splunk Employee
Splunk Employee
‎11-19-2019 09:52 AM

Try the below query
error message .*(?=(: message :))

0 Karma
Reply

mayurr98
Super Champion
‎11-19-2019 09:52 AM

try this:

| makeresults 
|  eval _raw="error message System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: TimeoutChecklistExecutionResultHandler.cs:line 293 : message : {" 
|  rex  "error\s+message\s+(?<Message>.+?(?=(\:\s+message\s+\:)))"
0 Karma
Reply

uagrawal_splunk
Splunk Employee
Splunk Employee
‎11-19-2019 10:10 AM

I tried the query in regex101 and it takes 650 steps to match the regex. And the same query with little modification takes the 78 steps to match the regex. Here is the query:

error\s+message\s+(?<Message>.*(?=(\:\s+message\s+\:)))

0 Karma
Reply

mayurr98
Super Champion
‎11-19-2019 10:36 AM

yes, there are several ways to solve the same problem but the idea behind it to use Positive Lookahead and Quantifier.

you could also try error\s+message\s+(?<Message>.+(?=(\:\s+message\s+\:)))

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...