Solved: How to display only a substring of result set?

HelloItsMe76 · ‎09-12-2022

When i search for the string "ERROR" in a log i get the below

<

DEBUG : blah blah

INFO : blah blah blah

ERROR : <some error string>

More blah blah

>

I want to only show the whole line that starts with ERROR. The length of the error line is variable.

How can i do this?

I do understand that fixing the line breaks formatting in prop.conf might be a quicker way but i dont have access to that file so would like to do it in the result head. thanks in advance.

scelikok · ‎09-12-2022

Hi @HelloItsMe76,

You can use regex to extract the error string using below command after your search This will create a new field error_string that contains ERROR line info.

| rex field=_raw "ERROR\s+:\s+(?<error_string>.+)"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎09-12-2022

Hi @HelloItsMe76,

You can use regex to extract the error string using below command after your search This will create a new field error_string that contains ERROR line info.

| rex field=_raw "ERROR\s+:\s+(?<error_string>.+)"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

HelloItsMe76 · ‎09-12-2022

thanks, that worked.

How to display only a substring of result set?

subsearch

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to display only a substring of result set?

subsearch

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming