Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I match multiple regex expressions?

BenzionYunger
New Member
‎12-25-2018 05:29 AM

I need to run a query that matches multiple expressions from JSON data. This is what I tried, but it didn't work:

regex (Primary.stackTrace="java.lang.RuntimeException: Sign in error message." | Primary.stackTrace="java.lang.RuntimeException: Login page failed to load within 45 seconds")

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2018 01:10 PM

Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").

Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2018 01:10 PM

Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").

Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

BenzionYunger
New Member
‎12-25-2018 11:50 PM

The first suggestion did not work either, it returned an error display msg "command not known primary", and the regex command for a single expression does work.
However, the 2nd suggestion did work effectively.
Thank You

0 Karma
Reply
Solved! Jump to solution

BenzionYunger
New Member
‎12-25-2018 12:07 PM

Here is an event example to demonstrate. Notice Primary.stackTrace and Secondary1.stackTrace have different values. Only events with testStatus="Failed" can have a stackTrace, and some stackTraces are not one of the regex expressions.

{   [-] 
   Primary: {   [-] 
     className: com.quantum.Tests   
     description: Android   
     device: 988DD2395042313346 
     executionID: test@test.com_RemoteWebDriver_18-12-23_20_25_23_76623 
     hostName: ip-10-0-0-8  
     location: NA-US-BOS    
     methodName: My Test
     methods: { [+] 
     }  
     model: Galaxy S8   
     monitorTag: null   
     os: Android    
     reportKey: null    
     reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76623&_timestamp[0]=1545596723084    
     stackTrace: java.lang.RuntimeException: Login page failed to load within 45 seconds
    at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
    at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
    at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
    at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
    at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
    at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
    at org.testng.TestRunner.privateRun(TestRunner.java:781)
    at org.testng.TestRunner.run(TestRunner.java:635)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
    at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
    at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
    at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

     testExecutionDuration: 224 
     testExecutionEnd: Dec 23, 2018 8:29:06 PM  
     testExecutionStart: Dec 23, 2018 8:25:21 PM    
     testName:  HCO Access - device 2   
     testStatus: Fail       
   }    
   Secondary1: {    [-] 
     className: com.quantum.Tests   
     description: Android   
     device: 988E16354746385136 
     executionID: monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624  
     hostName: ip-10-0-0-8  
     location: NA-US-BOS    
     methodName: _CA_HCO_Access 
     methods: { [+] 
     }  
     model: Galaxy S8   
     monitorTag: null   
     os: Android    
     reportKey: null    
     reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624&_timestamp[0]=1545596723084    
     stackTrace: java.lang.RuntimeException: Sign in error message
    at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
    at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
    at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
    at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
    at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
    at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
    at org.testng.TestRunner.privateRun(TestRunner.java:781)
    at org.testng.TestRunner.run(TestRunner.java:635)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
    at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
    at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
    at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

     testExecutionDuration: 89  
     testExecutionEnd: Dec 23, 2018 8:26:51 PM  
     testExecutionStart: Dec 23, 2018 8:25:21 PM    
     testName:  HCO Access - device 1   
     testStatus: Fail   
   }    
}
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2018 08:32 AM

To properly diagnose regex problems, we really need to see some sample events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...