Solved: How to display only a substring of result set?

HelloItsMe76 · ‎09-12-2022

When i search for the string "ERROR" in a log i get the below

<

DEBUG : blah blah

INFO : blah blah blah

ERROR : <some error string>

More blah blah

>

I want to only show the whole line that starts with ERROR. The length of the error line is variable.

How can i do this?

I do understand that fixing the line breaks formatting in prop.conf might be a quicker way but i dont have access to that file so would like to do it in the result head. thanks in advance.

scelikok · ‎09-12-2022

Hi @HelloItsMe76,

You can use regex to extract the error string using below command after your search This will create a new field error_string that contains ERROR line info.

| rex field=_raw "ERROR\s+:\s+(?<error_string>.+)"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎09-12-2022

Hi @HelloItsMe76,

You can use regex to extract the error string using below command after your search This will create a new field error_string that contains ERROR line info.

| rex field=_raw "ERROR\s+:\s+(?<error_string>.+)"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

HelloItsMe76 · ‎09-12-2022

thanks, that worked.

How to display only a substring of result set?

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?