Splunk Search

Having trouble with rex command

bhaskar5428
Explorer

I have below raw string 

03 Mar 2022 10:08:18,188 GMT ERROR [dbdiNotificationService,ServiceManagement] {} - Caught Runtime exception at service dbdiNotificationService java.lang.IllegalArgumentException: No enum constant com.db.fx4capi.Fx4cApiLocal.TradeProcessingStatus.TRADE_STATUS_CANCELLED at java.lang.Enum.valueOf(Enum.java:238) ~[?:1.8.0_311] at com.db.fx4capi.Fx4cApiLocal$TradeProcessingStatus.valueOf(Fx4cApiLocal.java:10) ~[trade-22.1.1-8.jar:?] at com.db.fx4cash.trade.step.GetTradeReferenceAndStatusStep.step(GetTradeReferenceAndStatusStep.java:24) ~[step-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.executeIteration(TransactionDispatchService.java:275) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.startDispatch(TransactionDispatchService.java:673) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.run(TransactionDispatchService.java:91) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.ServiceThread.run(ServiceThread.java:36) [servicemanagement-22.1.1-8.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_311]



 

 

--------------------------------------------------------------------------------------------------------------------------------------

I would like to capture marked in bold.

am using below command but getting partial output.

index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220303-100818.log*
| rex field=_raw "^[^\-\n]*\-\s+(?P<Error>.+)"
| table Error



my output 
Caught Runtime exception at service dbdiNotificationService

 

but my requirement is i need to capture whole error marked in bold

Labels (1)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

You should use a code block when post these. Is this just s string or a multiline event?
I any case this should be able to get it:

| rex "[^\-\n]\s+\-\s+(?P<Error>.+)"

 

Tested in regex101

https://regex101.com/r/xWQ0mj/1

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

bhaskar5428
Explorer

Not working,

 

however below working for me 
rex field=_raw "^[^\-\n]*\-\s+(?P<Error>.$)"

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...