Splunk Search

How to extract nested exception/message

mshea
New Member

Hi,

I need to extract the Exception and Message independently that occurs after the Nested Exception line below. I'm not sure how to access data in the next line. I was using regexr and this regex does match the Nested Exception.

/\Nested Exception/gm, but I need the System.Web.HttpException returned from the field extraction.

When I try to use the Field Extractor, it only shows me the first 200 characters or so and I can't select the field.

Any ideas on a configuration change to splunk that allows me to extract fields from raw data that is so large, and/or how to generate a regex that will return the data I'm looking for?

15668 10:59:57 ERROR Application error.
Exception: System.Web.HttpUnhandledException
Message: An unhandled exception occurred.
Source: Sitecore.Mvc
   at Sitecore.Mvc.Pipelines.MvcEvents.Exception.ShowAspNetErrorMessage.ShowErrorMessage(ExceptionContext exceptionContext, ExceptionArgs args)
   at Sitecore.Mvc.Pipelines.MvcEvents.Exception.ShowAspNetErrorMessage.Process(ExceptionArgs args)
   at (Object , Object[] )
   at Sitecore.Pipelines.CorePipeline.Run(PipelineArgs args)
   at Sitecore.Mvc.Pipelines.PipelineService.RunPipeline[TArgs](String pipelineName, TArgs args)
   at Sitecore.Mvc.Filters.PipelineBasedRequestFilter.OnException(ExceptionContext exceptionContext)
   at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
   at Sitecore.Mvc.Controllers.SitecoreActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
   at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__19()
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass1.<MakeVoidDelegate>b__0()
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at Sitecore.Mvc.Routing.RouteHttpHandler.EndProcessRequest(IAsyncResult result)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Nested Exception
Exception: System.Web.HttpException
Message: Server cannot set content type after HTTP headers have been sent.

Thanks,

Mike

0 Karma
1 Solution

jacobwilkins
Communicator

How about this regex:

(?s)Nested Exception.+Exception:\s+(?<nested_exception>[^\n]*)

View solution in original post

Gilberto_Castil
Splunk Employee
Splunk Employee

There are multiple ways to do this. Here is another:

Nested\s+Exception(?:[\r\n]).+?Exception:\s+(?<exception>.+)(?:[\r\n]).+?Message\:\s+(?<message>.+)

alt text

mshea
New Member

I used this example to output 3 valuable fields including the callstack which includes the line of source.

(?s)Nested Exception.+Exception:\s+(?[^\n]*)\s*Message:\s(?.*)Source:\s(?.*\:line.{4})

Thanks!

0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

Very cool. Happy Splunking!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex string will extract the exception and message texts from your sample data, assuming it is all in a single event.

Nested Exception\n*\s*Exception: (?P<exception>.*$)\n*\s*Message: (?P<message>.*)
---
If this reply helps you, Karma would be appreciated.

mshea
New Member

I could not get this to match.
One of my tools gave an error on this: P.*$ saying it was illegal group syntax.

Thanks for sending!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It worked on regex101.com. Try removing the '$' as it should match with or without it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jacobwilkins
Communicator

How about this regex:

(?s)Nested Exception.+Exception:\s+(?<nested_exception>[^\n]*)

mshea
New Member

Thanks for sending. I could not get a match for this on regex101.com or regexr.com. I will try to see what needs modification.

0 Karma

mshea
New Member

Actually, I mispoke, this does match.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...