Splunk Search

How to extract below field from logs ?

Path Finder

Hello,

I need to create a dashboard which shows error messages & its count over the time. i have a logfile like below and i would like to extract the error message as a field.

"[syncservice] [ERROR] [20 Mar 2018 04:09:56,654] : [7dfhsdgw-4dgsj-ashgah-svahs5226] : [com.xxx.xxxx.xxxx.xxxx]: Failed to invoke service xxx.xxxxxx.xxxx.ConnectorException: IOException occurred for ServiceLogMessage while obtaining response: Connection to http://localhost:8080 refused"

0 Karma
1 Solution

Super Champion

based on @tiagofbmm 's answer, try this | rex field=_raw "ConnectorException:\s(?<ConnectorException>.*)"

you can test out regex's at this website: https://regex101.com/
it is a great place to learn and test out what you're doing.

View solution in original post

0 Karma

Super Champion

based on @tiagofbmm 's answer, try this | rex field=_raw "ConnectorException:\s(?<ConnectorException>.*)"

you can test out regex's at this website: https://regex101.com/
it is a great place to learn and test out what you're doing.

View solution in original post

0 Karma

Path Finder

Hello @cmerriman,
Yes, it works & Thanks for sharing the knowledge 🙂

0 Karma

Influencer

Working solely on the example you gave in the question,

| rex field=_raw "ConnectorException:s(?.*)"

0 Karma

Path Finder

Hello @tiagofbmm,
Thanks for the answer.
But, i m getting error as "Error in 'rex' command: Encountered the following error while compiling the regex 'ConnectorException:s(?.*)': Regex: unrecognized character after (? or (?- "

0 Karma

Influencer

My bad, forgot to put it as Code

| rex field=_raw "ConnectorException\:s(?<ConnectorException>.*)"

Influencer

Please upvote and accept answers

0 Karma

Super Champion
...| rex field=_raw "ConnectorException\:s(?<errormsg>.*)"

Path Finder

Thanks for your answer @493669.
:)

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!