Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get the exception and Error in Splunk query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bhartiya008
Explorer
02-23-2021
03:57 AM
I am trying to build a splunk query to get the error summary from a log. I want to capture all the events where there is some ERROR, Exception or Failure.
Below is the sample data :
ERROR org.mule.component.ComponentException: Failed to invoke ScriptComponent{bapmFlow.component.797791858}. Component that caused exception is: ScriptComponent{bapmFlow.component.797791858}.
host = host1 = /odt/mule_/logs/bapm.logsourcetype = gdt_index
2/7/21
12:00:04.000 AM
2021-02-07 00:00:04,422 [[Java2python].bapmFlow.stage1.03] ERROR org.mule.exception.CatchMessagingExceptionStrategy - Failed to dispatch message to error queue after it failed to process. This may cause message loss. Message identification summary here: id=54972f10-6901-11eb-ad2a-0050568f5886 correlationId=<not set>, correlationGroup=-1, correlationSeq=-1
host = host1 = /odt/mule_/logs/bapm.logsourcetype = gdt_index
2021-02-07 00:00:04,407 [[Java2python].bapmFlow.stage1.03] ERROR org.mule.exception.CatchMessagingExceptionStrategy -
********************************************************************************
Message : org.mule.module.db.internal.domain.connection.ConnectionCreationException: Cannot get connection for URL jdbc:sqlserver://VLTROUXRPT.us.global.crux.com\PRS:1713;databaseName=DFT;domain=US;integratedSecurity=false;authenticationScheme=JavaKerberos;userName=Jack;password=<<credentials>>;trustServerCertificate=true;encrypt=true; : Login failed for user 'Jack'. ClientConnectionId:34edad77-7de1-4d0f-bc13-0fb7f090f722 (java.sql.SQLException)
2021-02-07 00:00:02,936 [[Java2python].bapmFlow.stage1.03] ERROR org.mule.exception.CatchMessagingExceptionStrategy -
... 89 lines omitted ...
2021-02-07 00:00:02,951 [[Java2python].bapmFlow.stage1.03] ERROR org.mule.exception.CatchMessagingExceptionStrategy - Failed to dispatch message to error queue after it failed to process. This may cause message loss. Message identification summary here: id=54970800-6901-11eb-a3d3-0050568f5165 correlationId=<not set>, correlationGroup=-1, correlationSeq=-1
I have noticed the below: The ERROR keyword before the failures with the exception name. So I built this basic query like below but it's not giving the desired results:
index=hdt sourcetype=gdt_index ("ERROR" AND "Exception") OR "FAILED"
| rex ".*?(?<Exception>(\w+\.)+\w*Exception).*"
| rex "(?<ErrorMessage>\"Message\":(.*\",))"
| stats values(ErrorMessage) as ErrorMessage by Exception
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
02-23-2021
06:45 AM
You can get both values from one rex expression - I extended the Exception part to include other words such as Strategy to get the complete name of the exception, then skip over the non-words (spaces, colons, etc.), then assume the remainder of the line was the error message you wanted.
| rex ".*?(?<Exception>(\w+\.)+\w*Exception\w*)\W+(?<ErrorMessage>.*)"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bhartiya008
Explorer
02-23-2021
06:31 AM
Thanks @ITWhisperer Yes ..You are right. I was trying to follow the examples I had in my project.
I want the message of the failures which comes right after the exception
For e.g.
Failed to invoke ScriptComponent{bapmFlow.component.797791858}. Component that caused exception is: ScriptComponent{bapmFlow.component.797791858}.Cannot get connection for URL jdbc:sqlserver://VLTROUXRPT.us.global.crux.com\PRS:1713;databaseName=DFT;domain=US;integratedSecurity=false;authenticationScheme=JavaKerberos;userName=Jack;password=<<credentials>>;trustServerCertificate=true;encrypt=true; : Login failed for user 'Jack'. ClientConnectionId:34edad77-7de1-4d0f-bc13-0fb7f090f722 (java.sql.SQLException)
I want the exception name and the messages with which it failed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
02-23-2021
06:45 AM
You can get both values from one rex expression - I extended the Exception part to include other words such as Strategy to get the complete name of the exception, then skip over the non-words (spaces, colons, etc.), then assume the remainder of the line was the error message you wanted.
| rex ".*?(?<Exception>(\w+\.)+\w*Exception\w*)\W+(?<ErrorMessage>.*)"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bhartiya008
Explorer
02-23-2021
06:56 AM
@ITWhisperer Can you also please explain a bit about it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
02-23-2021
07:21 AM
".*?(?<Exception>(\w+\.)+\w*Exception\w*)\W+(?<ErrorMessage>.*)"
.*? - not really needed since * means 0 or more so could match anything or nothing
(?<Exception>(\w+\.)+\w*Exception\w*) - first capture group
<Exception> - name of field
(\w+\.)+ - one or more groups of "letters" followed by a . e.g. class in exception class hierarchy
\w*Exception - zero or more "letters" followed by Exception
\w* - zero or more "letters"
Strings which match this are put into the Exception field (assuming the rest of the expression matches)
\W+ - one or more "non-letter" e.g. punctuation and spaces
(?<ErrorMessage>.*) - second capture group
<ErrorMessage> - name of field
.* - zero or more of anything until end of the line- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bhartiya008
Explorer
02-23-2021
07:35 AM
@ITWhisperer Thank you so much!! This will help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bhartiya008
Explorer
02-23-2021
06:53 AM
@ITWhisperer --This looks Perfect to me!!
Thanks !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
02-23-2021
05:16 AM
You don't have anything in your example that contains "Message": so ErrorMessage would not contain anything - what were you expecting it to hold?
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
