Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regular expression to match multiples of the same type (Java Mother and Daughters exception)?

JDukeSplunk
Builder
‎10-21-2016 10:09 AM

I'll start with a raw event. This is basically a Java stack dump. 

2016-10-20 13:23:20,828 [p-bio-8001-exec-1866] [TABTHREAD1] [                    ] [     PegaRULES:07.10] (ngineinterface.service.HttpAPI) ERROR ttapppegacc01.alere.com|10.171.166.102 Administrator@pega.com - 10.171.166.102: com.pega.pegarules.pub.PRRuntimeError
com.pega.pegarules.pub.PRRuntimeError: PRRuntimeError
    at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:712)
    at com.pega.pegarules.session.internal.mgmt.PRThreadImpl.runActivitiesAlt(PRThreadImpl.java:461)
    at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.runActivities(HttpAPI.java:3358)
    at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:385)
    at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at com.pega.pegarules.session.internal.PRSessionProviderImpl.performTargetActionWithLock(PRSessionProviderImpl.java:1270)
    at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:1008)
    at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:841)
    at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequest(EngineAPI.java:331)
    at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.invoke(HttpAPI.java:852)
    at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl._invokeEngine_privact(EngineImpl.java:315)
    at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:263)
    at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:240)
    at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngineInner(JNDIEnvironment.java:278)
    at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngine(JNDIEnvironment.java:223)
    at com.pega.pegarules.web.impl.WebStandardImpl.makeEtierRequest(WebStandardImpl.java:574)
    at com.pega.pegarules.web.impl.WebStandardImpl.doPost(WebStandardImpl.java:374)
    at sun.reflect.GeneratedMethodAccessor153.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(PRBootstrap.java:370)
    at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(PRBootstrap.java:411)
    at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(AppServerBridgeToPega.java:223)
    at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(AppServerBridgeToPega.java:272)
    at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doPost(WebStandardBoot.java:121)
    at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doGet(WebStandardBoot.java:92)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at com.googlecode.psiprobe.Tomcat70AgentValve.invoke(Tomcat70AgentValve.java:38)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: com.pega.pegarules.pub.runtime.IndeterminateConditionalException: Executable.evaluateWhen-FUAFailed
    at com.pega.pegarules.session.internal.mgmt.Executable.evaluateWhen(Executable.java:4247)
    at com.pega.pegarules.session.internal.mgmt.Executable.evaluateWhen(Executable.java:4128)
    at com.pega.pegarules.exec.internal.basic.dictionary.AccessInfoConclusion.evaluateConditions(AccessInfoConclusion.java:936)
    at com.pega.pegarules.exec.internal.basic.dictionary.AccessInfoConclusion.evaluate(AccessInfoConclusion.java:797)
    at com.pega.pegarules.session.internal.authorization.access.AccessEvaluator.haveAccess(AccessEvaluator.java:179)
    at com.pega.pegarules.session.internal.authorization.Authorization.haveAccess(Authorization.java:1822)
    at com.pegarules.generated.activity.ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.step13_circum0(ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.java:1468)
    at com.pegarules.generated.activity.ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.perform(ra_action_wbtoolbarddsettings_9a469343ff55b48369ec8575895d72dc.java:275)
    at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
    at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10563)
    at com.pegarules.generated.activity.ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.step2_circum0(ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.java:506)
    at com.pegarules.generated.activity.ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.perform(ra_action_onbeforedisplay_73be703c71638484f9e536ae97ee89b6.java:86)
    at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
    at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10563)
    at com.pegarules.generated.activity.ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.step24_circum0(ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.java:2225)
    at com.pegarules.generated.activity.ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.perform(ra_action_wbopen_636ddc8d3c8d3933fb470ef82428b1d6.java:537)
    at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
    at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10563)
    at com.pegarules.generated.activity.ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.step28_circum0(ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.java:2860)
    at com.pegarules.generated.activity.ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.perform(ra_action_douiaction_e7228a040c3bf89efe31545c6149a3d4.java:526)
    at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3505)
    at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:646)
    ... 50 more
Caused by: com.pega.pegarules.pub.generator.RuleNotFoundException: Failed to find a 'RULE-ACCESS-WHEN' with the name 'NODEVELOPERACCESS' that applies to 'Data-Admin-System-Settings'. There were 2 rules with this name in the rulebase, but none matched this request. The 2 rules named 'NODEVELOPERACCESS' defined in the rulebase are:
2 related to applies-to class 'Data-Admin-System-Settings', but were defined in rulesets which are not in your rulesetlist: {phsBusTier:01-31-45, :01-01-01}.

We have a regex that will grab the first instance in the exception.

| rex field=_raw "\.(?<Mother_Exception>[^\.\:]+(Exception|Error))\:"

We also have some logic that will grab the "Caused By" line, and then break that up to get the first Daughter Exception. 

| rex field=_raw "Caused by:(?<CausedBy>.+)"  
| eval cb=split(CausedBy,":")  
| eval Daughter_Exception = mvindex(cb,0)

I think there is some way to grab all "Mother" and "Daughter" exceptions. I just don't know how.

Ideally the first match for [^\.\:]+(Exception|Error))\:" would be Mother. Then any further matches of [^\.\:]+(Exception|Error))\:" would be named Daughter1,Daughter2,..etc. They rarely go beyond 2, if ever.

Does this make sense?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2016 11:13 AM

Try using max_match=N parameter of rex command which will capture multiple instance of the field wherever regex has a match. Use max_match=0 for unlimited. Try like this

 your base search | rex max_match=10  field=_raw "\.(?<Mother_Exception>[^\.\:]+(Exception|Error))\:"
| table Mother_Exception | eval DaughterExceptions=mvindex(Mother_Exception,1,-1) | eval Mother_Exception=mvindex(Mother_Exception,0)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-21-2016 11:13 AM

Try using max_match=N parameter of rex command which will capture multiple instance of the field wherever regex has a match. Use max_match=0 for unlimited. Try like this

 your base search | rex max_match=10  field=_raw "\.(?<Mother_Exception>[^\.\:]+(Exception|Error))\:"
| table Mother_Exception | eval DaughterExceptions=mvindex(Mother_Exception,1,-1) | eval Mother_Exception=mvindex(Mother_Exception,0)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...