Solved: Re: How do I match multiple regex expressions?

BenzionYunger · ‎12-25-2018

I need to run a query that matches multiple expressions from JSON data. This is what I tried, but it didn't work:

regex (Primary.stackTrace="java.lang.RuntimeException: Sign in error message." | Primary.stackTrace="java.lang.RuntimeException: Login page failed to load within 45 seconds")

richgalloway · ‎12-25-2018

Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").

Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-25-2018

Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").

Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....

---
If this reply helps you, Karma would be appreciated.

BenzionYunger · ‎12-25-2018

The first suggestion did not work either, it returned an error display msg "command not known primary", and the regex command for a single expression does work.
However, the 2nd suggestion did work effectively.
Thank You

BenzionYunger · ‎12-25-2018

Here is an event example to demonstrate. Notice Primary.stackTrace and Secondary1.stackTrace have different values. Only events with testStatus="Failed" can have a stackTrace, and some stackTraces are not one of the regex expressions.

{   [-] 
   Primary: {   [-] 
     className: com.quantum.Tests   
     description: Android   
     device: 988DD2395042313346 
     executionID: test@test.com_RemoteWebDriver_18-12-23_20_25_23_76623 
     hostName: ip-10-0-0-8  
     location: NA-US-BOS    
     methodName: My Test
     methods: { [+] 
     }  
     model: Galaxy S8   
     monitorTag: null   
     os: Android    
     reportKey: null    
     reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76623&_timestamp[0]=1545596723084    
     stackTrace: java.lang.RuntimeException: Login page failed to load within 45 seconds
    at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
    at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
    at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
    at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
    at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
    at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
    at org.testng.TestRunner.privateRun(TestRunner.java:781)
    at org.testng.TestRunner.run(TestRunner.java:635)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
    at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
    at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
    at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

     testExecutionDuration: 224 
     testExecutionEnd: Dec 23, 2018 8:29:06 PM  
     testExecutionStart: Dec 23, 2018 8:25:21 PM    
     testName:  HCO Access - device 2   
     testStatus: Fail       
   }    
   Secondary1: {    [-] 
     className: com.quantum.Tests   
     description: Android   
     device: 988E16354746385136 
     executionID: monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624  
     hostName: ip-10-0-0-8  
     location: NA-US-BOS    
     methodName: _CA_HCO_Access 
     methods: { [+] 
     }  
     model: Galaxy S8   
     monitorTag: null   
     os: Android    
     reportKey: null    
     reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624&_timestamp[0]=1545596723084    
     stackTrace: java.lang.RuntimeException: Sign in error message
    at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
    at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
    at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
    at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
    at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
    at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
    at org.testng.TestRunner.privateRun(TestRunner.java:781)
    at org.testng.TestRunner.run(TestRunner.java:635)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
    at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
    at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
    at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

     testExecutionDuration: 89  
     testExecutionEnd: Dec 23, 2018 8:26:51 PM  
     testExecutionStart: Dec 23, 2018 8:25:21 PM    
     testName:  HCO Access - device 1   
     testStatus: Fail   
   }    
}

richgalloway · ‎12-25-2018

To properly diagnose regex problems, we really need to see some sample events.

---
If this reply helps you, Karma would be appreciated.

How do I match multiple regex expressions?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

How do I match multiple regex expressions?

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...