Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract message from log events.

avi7326
Path Finder
‎07-19-2023 02:00 AM

I want to extract the message that is 'until-successful' retries exhausted from the below logs.
And also a second rex query to extract both message and element and get in the table.
Any Help will be appreciated.

[-]
   loggerorg.mule.runtime.core.internal.exception.OnErrorPropagateHandler
   message

********************************************************************************

Message            : 'until-successful' retries exhausted

 Element            : bmw-sl-nsp-case-readSub_Flow/processors/1 @ bmw-sl-nsp-prd-api:write/bmw-sl-nsp-case-read.xml:88 (Until Successful)

Element DSL         : <until-successful maxRetries="${max.retries}" doc:name="Until Successful" doc:id="b76dd101-8752-43aa-ab94-d548b699ea7a" millisBetweenRetries="${time.between.retires.case}"> <http:request method="GET" doc:name="Get Cases" doc:id="b846734d-4ff0-479d-bc21-e112cd9e8919" config-ref="HTTP_Request_configuration" path="${schedular.getcases.target.path}" sendCorrelationId="ALWAYS" correlationId="#[correlationId]"> <http:query-params><![CDATA[ #[output application/java --- { "startTimestamp" : vars.startTimestamp, "country" : vars.currentCountry, "endTimestamp" : vars.endTimestamp, "businessUnit" : vars.currentBusinessUnit }]

Labels (2)
Labels
0 Karma
Reply

avi7326
Path Finder
‎07-19-2023 02:35 AM

I have tried the above query but from that I am getting the whole message I only want to extract the 1 and 2 line .
I have tried this and getting only until successful in the table I want the whole line 'until-successful' retries exhausted
| rex field=message "(?ms)Message\s+'(?<message>.*?)'"
| table message

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2023 02:24 AM

Hi @avi7326,

this seems to be a json log, so you can use "INDEXED_EXTRACTIONS =json" at the ingestion or the "spath" command during the search.

Anyway, you can extract this string also using a regex like the following:

| rex "Message\s+:\s+(?<message>.+)"

that you can test at https://regex101.com/r/OhTHyC/1

ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2023 06:04 AM

Hi @avi7326,

let me understand: you want to extract only the logger and message rows in two different fields, is it correct?

in this case, please try this regex

| rex "(?ms)logger:(?<logger>.*)\s*message:\s+(?<message>.*)Message"

that you can test at https://regex101.com/r/OhTHyC/2

Ciao.

Giuseppe

0 Karma
Reply

avi7326
Path Finder
‎07-19-2023 02:56 AM

I have tried the above query but from that I am getting the whole message I only want to extract the 1 and 2 line .
I have tried this and getting only until successful in the table I want the whole line 'until-successful' retries exhausted
| rex field=message "(?ms)Message\s+'(?<message>.*?)'"
| table message

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...