Splunk Search

How to extract nested exception/message

mshea
New Member

Hi,

I need to extract the Exception and Message independently that occurs after the Nested Exception line below. I'm not sure how to access data in the next line. I was using regexr and this regex does match the Nested Exception.

/\Nested Exception/gm, but I need the System.Web.HttpException returned from the field extraction.

When I try to use the Field Extractor, it only shows me the first 200 characters or so and I can't select the field.

Any ideas on a configuration change to splunk that allows me to extract fields from raw data that is so large, and/or how to generate a regex that will return the data I'm looking for?

15668 10:59:57 ERROR Application error.
Exception: System.Web.HttpUnhandledException
Message: An unhandled exception occurred.
Source: Sitecore.Mvc
   at Sitecore.Mvc.Pipelines.MvcEvents.Exception.ShowAspNetErrorMessage.ShowErrorMessage(ExceptionContext exceptionContext, ExceptionArgs args)
   at Sitecore.Mvc.Pipelines.MvcEvents.Exception.ShowAspNetErrorMessage.Process(ExceptionArgs args)
   at (Object , Object[] )
   at Sitecore.Pipelines.CorePipeline.Run(PipelineArgs args)
   at Sitecore.Mvc.Pipelines.PipelineService.RunPipeline[TArgs](String pipelineName, TArgs args)
   at Sitecore.Mvc.Filters.PipelineBasedRequestFilter.OnException(ExceptionContext exceptionContext)
   at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
   at Sitecore.Mvc.Controllers.SitecoreActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
   at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__19()
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass1.<MakeVoidDelegate>b__0()
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at Sitecore.Mvc.Routing.RouteHttpHandler.EndProcessRequest(IAsyncResult result)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Nested Exception
Exception: System.Web.HttpException
Message: Server cannot set content type after HTTP headers have been sent.

Thanks,

Mike

0 Karma
1 Solution

jacobwilkins
Communicator

How about this regex:

(?s)Nested Exception.+Exception:\s+(?<nested_exception>[^\n]*)

View solution in original post

Gilberto_Castil
Splunk Employee
Splunk Employee

There are multiple ways to do this. Here is another:

Nested\s+Exception(?:[\r\n]).+?Exception:\s+(?<exception>.+)(?:[\r\n]).+?Message\:\s+(?<message>.+)

alt text

mshea
New Member

I used this example to output 3 valuable fields including the callstack which includes the line of source.

(?s)Nested Exception.+Exception:\s+(?[^\n]*)\s*Message:\s(?.*)Source:\s(?.*\:line.{4})

Thanks!

0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

Very cool. Happy Splunking!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex string will extract the exception and message texts from your sample data, assuming it is all in a single event.

Nested Exception\n*\s*Exception: (?P<exception>.*$)\n*\s*Message: (?P<message>.*)
---
If this reply helps you, Karma would be appreciated.

mshea
New Member

I could not get this to match.
One of my tools gave an error on this: P.*$ saying it was illegal group syntax.

Thanks for sending!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It worked on regex101.com. Try removing the '$' as it should match with or without it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jacobwilkins
Communicator

How about this regex:

(?s)Nested Exception.+Exception:\s+(?<nested_exception>[^\n]*)

mshea
New Member

Thanks for sending. I could not get a match for this on regex101.com or regexr.com. I will try to see what needs modification.

0 Karma

mshea
New Member

Actually, I mispoke, this does match.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...