Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do newline splitting for a single event

sumitnagal
Path Finder
‎09-12-2012 05:58 PM

Hi,
I want to identified the exception caused by my API to the external API. here is example, I am looking for below output

14 Jun 2012 07:38:55,280 [ABCD] ERROR my.classname (46) - The exception value: An error occurred while processing the request on the server: System.Runtime.Remoting.RemotingException: Server is busy. Try request again later.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:188)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy207.retrieveDeploymentById(Unknown Source)
at com.test.abc.my(classname:46)

I am looking for below output

14 Jun 2012 07:38:55  my.class 46  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException System.Runtime.Remoting.RemotingException

I am trying below query, but not sure how can do line breaking after getting value.

search | rex "(?i)^(?P<DATEFIELD>[^,]+),\\d+\\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+)\(\d+\)\\s-\\s(?P<FIELDNAME2>[^-]+)" | rex "(?i)\tat (?P<FIELDNAME3>[^\(]+)"

Thanks,
Sumit

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException

View solution in original post

Reply
Solved! Jump to solution

sumitnagal
Path Finder
‎10-07-2013 02:48 AM

This is very close to what I am looking, but I can't use FIELDNAME as it may have few lines or may have too many lines. I have to parse all the lines, please suggest how do I get specific liie , com.test.abc.my from the list of stack trace.

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException
Reply
Solved! Jump to solution

wjblazek
Explorer
‎10-28-2014 04:23 PM

Yes Thanks!

The "[\r\n]" was the key I needed to search across line breaks:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?si)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Also (?m) seems to work like (?si) to tell rex to work across multiple lines:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?m)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Is there any significant difference between (?m) and (?si) ?

Is this documented anywhere?

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎10-31-2014 04:33 PM

pcre modifiers - http://php.net/manual/en/reference.pcre.pattern.modifiers.php

0 Karma
Reply
Solved! Jump to solution

johnnyzebra
Engager
‎07-07-2014 04:16 PM

Thanks!
This helped me resolve an issue where a rex I used in my search would not work when I did it as a field extraction. (grabbing everything up to the end of the line) It seems as if the field extraction was applying the si, so my \n wouldn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...