My application has multiple plugins and the Splunk event contains the number of plugins that have failed to load. Sometimes all the plugins are active and sometimes more than 10 plugins fail to load. Here is a sample event. Basically the word behind the string "IS UNACCOUNTED FOR" is my plugin name. and I need all the plugin names that are present behind the string "is accounted for". And as I said, there could any number of failed plugins in the event. The following example event contains two failed plugins. i.e 'Announcer for CONF' and 'HipChat for CONF'
___ FAILED PLUGIN REPORT _____________________
1 plugin failed to load during CONF startup.
'com.bsaassian.plugins.authentication.bsaassian-authentication-plugin' - 'SAML for bsaassian Data Center' failed to load.
Unexpected exception parsing XML document from URL [bundle://127.0:0/META-INF/spring/plugin-context.xml]; nested exception is javax.xml.parsers.FactoryConfigurationError: Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
javax.xml.parsers.DocumentBuilderFactory: Provider com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl not found
It was loaded from /apps/bsaassian/CONF.7.6.7/bsaassian-CONF/WEB-INF/bsaassian-bundled-plugins/bsaassian-authentication-plugin-2.0.8.jar
4 plugins are unaccounted for.
Unaccounted for plugins load as artifacts but fail to resolve into full plugins.
'com.wittified.atl-announcer-CONF' - 'Announcer for CONF' IS UNACCOUNTED FOR.
It was loaded from /atlshare/bsaassian/application-data/CONF/plugins/installed-plugins/plugin.2625541172025988687.atl-announcer-CONF-2.3.10-7x.jar
'com.bsaassian.labs.hipchat.hipchat-for-CONF-plugin' - 'HipChat for CONF' IS UNACCOUNTED FOR.
********************************************************************************************************************************************************************************************************
Hello,
Append this to your search, base_search | rex max_match=0 field=_raw "\'(?<plugin_name>[\w\s-]+?)\'\s+(?i)IS\sUNACCOUNTED\sFOR | table plugin_name
2020-11-30T23:59:46.101621+00:00 fdb2.fdb-us-south-002 2020-11-30T23:59:45Z { "Severity": "10", "Time": "1606780785.516014", "Type": "SomewhatSlowRunLoopTop", "ID": "0000000000000000", "Elapsed": "0.0734675", "Machine": "10.185.175.43:4501", "LogGroup": "default" }
I want to how Can i extract "severity": "10" in the search from the logs ?
Hello,
Append this to your search, base_search | rex max_match=0 field=_raw "\'(?<plugin_name>[\w\s-]+?)\'\s+(?i)IS\sUNACCOUNTED\sFOR | table plugin_name
It is missing one plugin. In the following example I have four such entries. But it shows only 3 entries. It is missing "bsaassian CONF - Plugins - Feedback Plugin"
___ FAILED PLUGIN REPORT _____________________
1 plugin failed to load during CONF startup.
'com.bsaassian.plugins.authentication.bsaassian-authentication-plugin' - 'SAML for bsaassian Data Center' failed to load.
Unexpected exception parsing XML document from URL [bundle://139.0:0/META-INF/spring/plugin-context.xml]; nested exception is javax.xml.parsers.FactoryConfigurationError: Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created
javax.xml.parsers.DocumentBuilderFactory: Provider com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl not found
It was loaded from /apps/bsaassian/CONF.7.6.7/bsaassian-CONF/WEB-INF/bsaassian-bundled-plugins/bsaassian-authentication-plugin-2.0.8.jar
4 plugins are unaccounted for.
Unaccounted for plugins load as artifacts but fail to resolve into full plugins.
'com.wittified.atl-announcer-CONF' - 'Announcer for CONF' is unaccounted for.
It was loaded from /btlpaire/bsaassian/application-data/CONF/plugins/installed-plugins/plugin.2625541172025988687.atl-announcer-CONF-2.3.10-7x.jar
'com.bsaassian.labs.hipchat.hipchat-for-CONF-plugin' - 'HipChat for CONF' is unaccounted for.
It was loaded from /btlpaire/bsaassian/application-data/CONF/plugins/installed-plugins/hipchat-for-CONF-plugin-7.8.12.jar
'com.bsaassian.feedback.CONF-feedback-plugin' - 'bsaassian CONF - Plugins - Feedback Plugin' is unaccounted for.
It was loaded from /apps/bsaassian/CONF.7.6.7/bsaassian-CONF/WEB-INF/bsaassian-bundled-plugins/CONF-feedback-plugin-7.6.7.jar
'com.bsaassian.CONF.ext.calendar' - 'CONF Calendar Plugin' is unaccounted for.
It was loaded from /btlpaire/bsaassian/application-data/CONF/plugins/installed-plugins/plugin.1353523214340827166.CONF-calendar-plugin-4.0.3.jar
********************************************************************************************************************************************************************************************************
That is because there is -
in plugin name and regex is not asked to match it. I updated regex in my answer above. Try it out.
On a side note: I added (?i) - case insensitive flag
for is unaccounted for
string because in the example above you had lowercase and in the question above, you had uppercase. Adjust regex as required.