Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I match multiple regex expressions?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BenzionYunger
New Member
12-25-2018
05:29 AM
I need to run a query that matches multiple expressions from JSON data. This is what I tried, but it didn't work:
regex (Primary.stackTrace="java.lang.RuntimeException: Sign in error message." | Primary.stackTrace="java.lang.RuntimeException: Login page failed to load within 45 seconds")
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
12-25-2018
01:10 PM
Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").
Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
12-25-2018
01:10 PM
Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").
Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BenzionYunger
New Member
12-25-2018
11:50 PM
The first suggestion did not work either, it returned an error display msg "command not known primary", and the regex command for a single expression does work.
However, the 2nd suggestion did work effectively.
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BenzionYunger
New Member
12-25-2018
12:07 PM
Here is an event example to demonstrate. Notice Primary.stackTrace and Secondary1.stackTrace have different values. Only events with testStatus="Failed" can have a stackTrace, and some stackTraces are not one of the regex expressions.
{ [-]
Primary: { [-]
className: com.quantum.Tests
description: Android
device: 988DD2395042313346
executionID: test@test.com_RemoteWebDriver_18-12-23_20_25_23_76623
hostName: ip-10-0-0-8
location: NA-US-BOS
methodName: My Test
methods: { [+]
}
model: Galaxy S8
monitorTag: null
os: Android
reportKey: null
reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76623&_timestamp[0]=1545596723084
stackTrace: java.lang.RuntimeException: Login page failed to load within 45 seconds
at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:781)
at org.testng.TestRunner.run(TestRunner.java:635)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
testExecutionDuration: 224
testExecutionEnd: Dec 23, 2018 8:29:06 PM
testExecutionStart: Dec 23, 2018 8:25:21 PM
testName: HCO Access - device 2
testStatus: Fail
}
Secondary1: { [-]
className: com.quantum.Tests
description: Android
device: 988E16354746385136
executionID: monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624
hostName: ip-10-0-0-8
location: NA-US-BOS
methodName: _CA_HCO_Access
methods: { [+]
}
model: Galaxy S8
monitorTag: null
os: Android
reportKey: null
reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624&_timestamp[0]=1545596723084
stackTrace: java.lang.RuntimeException: Sign in error message
at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:781)
at org.testng.TestRunner.run(TestRunner.java:635)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
testExecutionDuration: 89
testExecutionEnd: Dec 23, 2018 8:26:51 PM
testExecutionStart: Dec 23, 2018 8:25:21 PM
testName: HCO Access - device 1
testStatus: Fail
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
12-25-2018
08:32 AM
To properly diagnose regex problems, we really need to see some sample events.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
