Solved: Re: How do you use the rex command to extract a ce... - Splunk Community

Splunk Search

I am trying to extract a certain error and then plot in on an are chart using rex. Below is the error I am looking for in logs :

Error : Request processing failed; nested exception is com.unionbank.banking.exception.BankingRuntimeException: HRTMap : HRTMap

The query I am using is :

index=xxx host=*prd* source= *yyy* "HRTMap"  | eval Date=strftime(_time, "%m-%d-%Y") | eval Time=strftime(_time, "%H:%M:%S") |rex "HRTMap: (?\w+)" | timechart count(HRTMapError) as HRT

but I am not getting a result for that.

1 Solution

Solution

Try this:

index=xxx host=prd source= yyy "HRTMap" | eval Date=strftime(_time, "%m-%d-%Y") | eval Time=strftime(_time, "%H:%M:%S") |rex "HRTMap\s*:\s*(?<HRTMapError>\w+)" | timechart count(HRTMapError) as HRT

You can also use |timechart dc(HRTMapError) as HRT to get the distinct count of error messages.

Hope it helps

View solution in original post

Solution

Try this:

index=xxx host=prd source= yyy "HRTMap" | eval Date=strftime(_time, "%m-%d-%Y") | eval Time=strftime(_time, "%H:%M:%S") |rex "HRTMap\s*:\s*(?<HRTMapError>\w+)" | timechart count(HRTMapError) as HRT

You can also use |timechart dc(HRTMapError) as HRT to get the distinct count of error messages.

Hope it helps

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...