Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to do newline splitting for a single event

sumitnagal
Path Finder
‎09-12-2012 05:58 PM

Hi,
I want to identified the exception caused by my API to the external API. here is example, I am looking for below output

14 Jun 2012 07:38:55,280 [ABCD] ERROR my.classname (46) - The exception value: An error occurred while processing the request on the server: System.Runtime.Remoting.RemotingException: Server is busy. Try request again later.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:188)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy207.retrieveDeploymentById(Unknown Source)
at com.test.abc.my(classname:46)

I am looking for below output

14 Jun 2012 07:38:55  my.class 46  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException System.Runtime.Remoting.RemotingException

I am trying below query, but not sure how can do line breaking after getting value.

search | rex "(?i)^(?P<DATEFIELD>[^,]+),\\d+\\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+)\(\d+\)\\s-\\s(?P<FIELDNAME2>[^-]+)" | rex "(?i)\tat (?P<FIELDNAME3>[^\(]+)"

Thanks,
Sumit

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException

View solution in original post

Reply
Solved! Jump to solution

sumitnagal
Path Finder
‎10-07-2013 02:48 AM

This is very close to what I am looking, but I can't use FIELDNAME as it may have few lines or may have too many lines. I have to parse all the lines, please suggest how do I get specific liie , com.test.abc.my from the list of stack trace.

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException
Reply
Solved! Jump to solution

wjblazek
Explorer
‎10-28-2014 04:23 PM

Yes Thanks!

The "[\r\n]" was the key I needed to search across line breaks:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?si)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Also (?m) seems to work like (?si) to tell rex to work across multiple lines:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?m)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Is there any significant difference between (?m) and (?si) ?

Is this documented anywhere?

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎10-31-2014 04:33 PM

pcre modifiers - http://php.net/manual/en/reference.pcre.pattern.modifiers.php

0 Karma
Reply
Solved! Jump to solution

johnnyzebra
Engager
‎07-07-2014 04:16 PM

Thanks!
This helped me resolve an issue where a rex I used in my search would not work when I did it as a field extraction. (grabbing everything up to the end of the line) It seems as if the field extraction was applying the si, so my \n wouldn't work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...