Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my regular expression to match multipl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JDukeSplunk
Builder
10-21-2016
10:09 AM
I'll start with a raw event. This is basically a Java stack dump.
2016-10-20 13:23:20,828 [p-bio-8001-exec-1866] [TABTHREAD1] [ ] [ PegaRULES:07.10] (ngineinterface.service.HttpAPI) ERROR ttapppegacc01.alere.com|10.171.166.102 Administrator@pega.com - 10.171.166.102: com.pega.pegarules.pub.PRRuntimeError
com.pega.pegarules.pub.PRRuntimeError: PRRuntimeError
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:712)
at com.pega.pegarules.session.internal.mgmt.PRThreadImpl.runActivitiesAlt(PRThreadImpl.java:461)
at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.runActivities(HttpAPI.java:3358)
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:385)
at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.performTargetActionWithLock(PRSessionProviderImpl.java:1270)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:1008)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:841)
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequest(EngineAPI.java:331)
at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.invoke(HttpAPI.java:852)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl._invokeEngine_privact(EngineImpl.java:315)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:263)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:240)
at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngineInner(JNDIEnvironment.java:278)
at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngine(JNDIEnvironment.java:223)
at com.pega.pegarules.web.impl.WebStandardImpl.makeEtierRequest(WebStandardImpl.java:574)
at com.pega.pegarules.web.impl.WebStandardImpl.doPost(WebStandardImpl.java:374)
at sun.reflect.GeneratedMethodAccessor153.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(PRBootstrap.java:370)
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(PRBootstrap.java:411)
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(AppServerBridgeToPega.java:223)
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(AppServerBridgeToPega.java:272)
at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doPost(WebStandardBoot.java:121)
at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doGet(WebStandardBoot.java:92)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at com.googlecode.psiprobe.Tomcat70AgentValve.invoke(Tomcat70AgentValve.java:38)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.pega.pegarules.pub.runtime.IndeterminateConditionalException: Executable.evaluateWhen-FUAFailed
at com.pega.pegarules.session.internal.mgmt.Executable.evaluateWhen(Executable.java:4247)
at com.pega.pegarules.session.internal.mgmt.Executable.evaluateWhen(Executable.java:4128)
at com.pega.pegarules.exec.internal.basic.dictionary.AccessInfoConclusion.evaluateConditions(AccessInfoConclusion.java:936)
at com.pega.pegarules.exec.internal.basic.dictionary.AccessInfoConclusion.evaluate(AccessInfoConclusion.java:797)
at com.pega.pegarules.session.internal.authorization.access.AccessEvaluator.haveAccess(AccessEvaluator.java:179)
at com.pega.pegarules.session.internal.authorization.Authorization.haveAccess(Authorization.java:1822)
at com.pegarules.generated.activity.ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.step13_circum0(ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.java:1468)
at com.pegarules.generated.activity.ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.perform(ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.java:275)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10563)
at com.pegarules.generated.activity.ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.step2_circum0(ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.java:506)
at com.pegarules.generated.activity.ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.perform(ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.java:86)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10563)
at com.pegarules.generated.activity.ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.step24_circum0(ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.java:2225)
at com.pegarules.generated.activity.ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.perform(ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.java:537)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10563)
at com.pegarules.generated.activity.ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.step28_circum0(ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.java:2860)
at com.pegarules.generated.activity.ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.perform(ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.java:526)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:646)
... 50 more
Caused by: com.pega.pegarules.pub.generator.RuleNotFoundException: Failed to find a 'RULE-ACCESS-WHEN' with the name 'NODEVELOPERACCESS' that applies to 'Data-Admin-System-Settings'. There were 2 rules with this name in the rulebase, but none matched this request. The 2 rules named 'NODEVELOPERACCESS' defined in the rulebase are:
2 related to applies-to class 'Data-Admin-System-Settings', but were defined in rulesets which are not in your rulesetlist: {phsBusTier:01-31-45, :01-01-01}.
We have a regex that will grab the first instance in the exception.
| rex field=_raw "\.(?<Mother_Exception>[^\.\:]+(Exception|Error))\:"
We also have some logic that will grab the "Caused By" line, and then break that up to get the first Daughter Exception.
| rex field=_raw "Caused by:(?<CausedBy>.+)"
| eval cb=split(CausedBy,":")
| eval Daughter_Exception = mvindex(cb,0)
I think there is some way to grab all "Mother" and "Daughter" exceptions. I just don't know how.
Ideally the first match for [^\.\:]+(Exception|Error))\:" would be Mother. Then any further matches of [^\.\:]+(Exception|Error))\:" would be named Daughter1,Daughter2,..etc. They rarely go beyond 2, if ever.
Does this make sense?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-21-2016
11:13 AM
Try using max_match=N parameter of rex command which will capture multiple instance of the field wherever regex has a match. Use max_match=0 for unlimited. Try like this
your base search | rex max_match=10 field=_raw "\.(?<Mother_Exception>[^\.\:]+(Exception|Error))\:"
| table Mother_Exception | eval DaughterExceptions=mvindex(Mother_Exception,1,-1) | eval Mother_Exception=mvindex(Mother_Exception,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-21-2016
11:13 AM
Try using max_match=N parameter of rex command which will capture multiple instance of the field wherever regex has a match. Use max_match=0 for unlimited. Try like this
your base search | rex max_match=10 field=_raw "\.(?<Mother_Exception>[^\.\:]+(Exception|Error))\:"
| table Mother_Exception | eval DaughterExceptions=mvindex(Mother_Exception,1,-1) | eval Mother_Exception=mvindex(Mother_Exception,0)
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
Hello Splunkers, We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...
May 2026 Splunk Expert Sessions: Security & Observability
Level Up Your Operations: May 2026 Splunk Expert Sessions
Whether you are refining your security posture or ...
Network to App: Observability Unlocked [May & June Series]
In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...
