I have 2 types of error messages that I want to display along with their count. One error has "." at the end and another has "." at the end but has some redundant string surrounded by "<>" which I dont need. Is there a way to accomodate both these in the same regex? Currently I am using below regex with only "." condition and it seems its not working for messages with "<"
Message 1 :
stack_trace : com.abc.xyz.package.ExceptionName: Missing A.
Message 2:
stack_trace : com.abc.xyz.package.ExceptionName: Missing B <abcd> com.
Query
BASE_SEARCH| rex field=_raw "Exception: (?<ExceptionText>[^\.]+)"
| stats count as Count by "ExceptionTest"
Expected Output
Missing A 3
Missing B 4
Actual Output
Missing A 3
Missing B <abcd> com 4
Hi @ghostrider,
please try this regex
ExceptionName:\s+(?<message>[^\.\<]+)
that you can test at https://regex101.com/r/Qegzo3/1
Ciao.
Giuseppe
Hi @ghostrider,
please try this regex
ExceptionName:\s+(?<message>[^\.\<]+)
that you can test at https://regex101.com/r/Qegzo3/1
Ciao.
Giuseppe
Hello @ghostrider ,
You could try this :
BASE_SEARCH
| rex field=_raw "ExceptionName: (?<ExceptionText>[^\.\<]+)"
| stats count as Count by "ExceptionText"
Hope it helps!
Regards,
GaetanVP