Splunk Search

How to extract a error message string contains "Tarik"?

Aj01
Path Finder

I am using a query and getting the logs but getting "**Setting up error code and description**" as the error message string for all the errors, need to extract those error which have error as "error in calling tarik services" but it is not extracting, need help i dont know how to use rex.....please help me

index=dep_ago Appid=APP-0431 prod "error"

this command i am using but not getting this "error in calling tarik services" error or any other string only this coming **Setting up error code and description**" with all the details in logs

please help.................

Labels (2)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

As @richgalloway said, if your source doesn't contain those data, nothing can get you there.  Also, note that "extraction" in Splunk has a definitive meaning that is different from search.  All the exercise here has not yet touched extraction because we are simply trying to verify whether the message containing the string even exist in your data.  If there is no data, there's nothing to extract from.

View solution in original post

Aj01
Path Finder

i tried this by not getting anything for it, we need extract the error message which is not extracting by itself.....

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Then try a wider search.

index=* "tarik" earliest=-3d latest=+3d

Specifying index=* is discouraged because it is slow, but is necessary when you're not sure where the data is stored.  The earliest and latest settings are intended to catch incorrect timestamps.

If you still don't get any results then we have to conclude the data is not in Splunk.  Then it will be time to review how the messages are onboarded to see if we can fix that.

---
If this reply helps you, Karma would be appreciated.

yuanliu
SplunkTrust
SplunkTrust

As @richgalloway said, if your source doesn't contain those data, nothing can get you there.  Also, note that "extraction" in Splunk has a definitive meaning that is different from search.  All the exercise here has not yet touched extraction because we are simply trying to verify whether the message containing the string even exist in your data.  If there is no data, there's nothing to extract from.

richgalloway
SplunkTrust
SplunkTrust

If a search does not produce results then it's possible the data isn't there or the search is incorrect.  Assuming the data really is there then try removing qualifiers from the query.  Verify the index name is correct.

index=dep_ago "tarik"

At this stage, you don't need the rex command.

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...