Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to capture a string?

bhaskar5428
Explorer
‎03-30-2022 05:22 AM

03 Mar 2022 10:08:18,188 GMT ERROR [dbdiNotificationService,ServiceManagement] {} - Caught Runtime exception at service dbdiNotificationService java.lang.IllegalArgumentException: No enum constant com.db.fx4capi.Fx4cApiLocal.TradeProcessingStatus.TRADE_STATUS_CANCELLED at java.lang.Enum.valueOf(Enum.java:238) ~[?:1.8.0_311] at com.db.fx4capi.Fx4cApiLocal$TradeProcessingStatus.valueOf(Fx4cApiLocal.java:10) ~[trade-22.1.1-8.jar:?] at com.db.fx4cash.trade.step.GetTradeReferenceAndStatusStep.step(GetTradeReferenceAndStatusStep.java:24) ~[step-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.executeIteration(TransactionDispatchService.java:275) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.startDispatch(TransactionDispatchService.java:673) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.TransactionDispatchService.run(TransactionDispatchService.java:91) [servicemanagement-22.1.1-8.jar:?] at com.db.servicemanagement.ServiceThread.run(ServiceThread.java:36) [servicemanagement-22.1.1-8.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_311]

 

 

----------------------------------------------------------------------------------------------------------------------------

in above string i need to capture string in bold , 
basically whatever comes after first line ERROR would like to capture 

using below command , 

index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220303-100818.log*
| rex field=_raw "^[^\-\n]*\-\s+(?P<Error>.$)"
|table error

 

am getting blank record, please help 

Labels (3)
Tags (2)
0 Karma
Reply

bhaskar5428
Explorer
‎03-30-2022 06:01 AM

[dbdiNotificationService,ServiceManagement] {} - Caught Runtime exception at service dbdiNotificationService

 

-----------------------------------------------------------

its giving me above output only 

 

0 Karma
Reply

Stefanie
Builder
‎03-30-2022 05:51 AM

Try this

index=app_events_fx4cash_uk_prod source=*STPManager-servicemanagement.20220303-100818.log*
|rex (?<Error>\[(.*))
|table Error

 

I also noticed in your search query, your rex command assigns it to "Error" but your table says "error". 

Field names are case-sensitive.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2022 05:45 AM

Hi @bhaskar5428,

please try this

| rex "ERROR\s+(?<error>.*)"

that you can test at https://regex101.com/r/Bc78TE/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...