Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a error message string contains "Tarik"?

Aj01
Path Finder
‎01-05-2023 10:56 AM

I am using a query and getting the logs but getting "**Setting up error code and description**" as the error message string for all the errors, need to extract those error which have error as "error in calling tarik services" but it is not extracting, need help i dont know how to use rex.....please help me

index=dep_ago Appid=APP-0431 prod "error"

this command i am using but not getting this "error in calling tarik services" error or any other string only this coming **Setting up error code and description**" with all the details in logs

please help.................

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-05-2023 10:54 PM

As @richgalloway said, if your source doesn't contain those data, nothing can get you there.  Also, note that "extraction" in Splunk has a definitive meaning that is different from search.  All the exercise here has not yet touched extraction because we are simply trying to verify whether the message containing the string even exist in your data.  If there is no data, there's nothing to extract from.

View solution in original post

Reply
Solved! Jump to solution

Aj01
Path Finder
‎01-05-2023 10:31 PM

i tried this by not getting anything for it, we need extract the error message which is not extracting by itself.....

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-06-2023 05:38 AM

Then try a wider search.

index=* "tarik" earliest=-3d latest=+3d

Specifying index=* is discouraged because it is slow, but is necessary when you're not sure where the data is stored.  The earliest and latest settings are intended to catch incorrect timestamps.

If you still don't get any results then we have to conclude the data is not in Splunk.  Then it will be time to review how the messages are onboarded to see if we can fix that.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-05-2023 10:54 PM

As @richgalloway said, if your source doesn't contain those data, nothing can get you there.  Also, note that "extraction" in Splunk has a definitive meaning that is different from search.  All the exercise here has not yet touched extraction because we are simply trying to verify whether the message containing the string even exist in your data.  If there is no data, there's nothing to extract from.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2023 12:49 PM

If a search does not produce results then it's possible the data isn't there or the search is incorrect.  Assuming the data really is there then try removing qualifiers from the query.  Verify the index name is correct.

index=dep_ago "tarik"

At this stage, you don't need the rex command.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...