Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to capture a string?

bhaskar5428
Explorer
‎03-30-2022 05:22 AM

03 Mar 2022 10:08:18,188 GMT ERROR [dbdiNotificationService,ServiceManagement] {} - Caught Runtime exception at service dbdiNotificationService java.lang.IllegalArgumentException: No enum constant com.db.fx4capi.Fx4cApiLocal.TradeProcessingStatus.TRADE_STATUS_CANCELLED at java.lang.Enum.valueOf(Enum.java:238) ~[?:1.8.0_311] at com.db.fx4capi.Fx4cApiLocal$TradeProcessingStatus.valueOf(Fx4cApiLocal.java:10) ~[trade-22.1.1-8.jar:?] at com.db.fx4cash.trade.step.GetTradeReferenceAndStatusStep.step(GetTradeReferenceAndStatusStep.java:24) ~[step-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.executeIteration(TransactionDispatchService.java:275) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.startDispatch(TransactionDispatchService.java:673) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.run(TransactionDispatchService.java:91) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.ServiceThread.run(ServiceThread.java:36) [servicemanagement-22.1.1-8.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_311]

 

 

----------------------------------------------------------------------------------------------------------------------------

in above string i need to capture string in bold , 
basically whatever comes after first line ERROR would like to capture 

using below command , 

index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220303-100818.log*
| rex field=_raw "^[^\-\n]*\-\s+(?P<Error>.$)"
|table error

 

am getting blank record, please help 

Labels (3)
Tags (2)
0 Karma
Reply

bhaskar5428
Explorer
‎03-30-2022 06:01 AM

[dbdiNotificationService,ServiceManagement] {} - Caught Runtime exception at service dbdiNotificationService

 

-----------------------------------------------------------

its giving me above output only 

 

0 Karma
Reply

Stefanie
Builder
‎03-30-2022 05:51 AM

Try this

index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220303-100818.log*
|rex (?<Error>\[(.*))
|table Error

 

I also noticed in your search query, your rex command assigns it to "Error" but your table says "error". 

Field names are case-sensitive.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2022 05:45 AM

Hi @bhaskar5428,

please try this

| rex "ERROR\s+(?<error>.*)"

that you can test at https://regex101.com/r/Bc78TE/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...