Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to extract nested exception/message

mshea
New Member
‎08-17-2015 09:41 AM

Hi,

I need to extract the Exception and Message independently that occurs after the Nested Exception line below. I'm not sure how to access data in the next line. I was using regexr and this regex does match the Nested Exception.

/\Nested Exception/gm, but I need the System.Web.HttpException returned from the field extraction.

When I try to use the Field Extractor, it only shows me the first 200 characters or so and I can't select the field.

Any ideas on a configuration change to splunk that allows me to extract fields from raw data that is so large, and/or how to generate a regex that will return the data I'm looking for?

15668 10:59:57 ERROR Application error.
Exception: System.Web.HttpUnhandledException
Message: An unhandled exception occurred.
Source: Sitecore.Mvc
   at Sitecore.Mvc.Pipelines.MvcEvents.Exception.ShowAspNetErrorMessage.ShowErrorMessage(ExceptionContext exceptionContext, ExceptionArgs args)
   at Sitecore.Mvc.Pipelines.MvcEvents.Exception.ShowAspNetErrorMessage.Process(ExceptionArgs args)
   at (Object , Object[] )
   at Sitecore.Pipelines.CorePipeline.Run(PipelineArgs args)
   at Sitecore.Mvc.Pipelines.PipelineService.RunPipeline[TArgs](String pipelineName, TArgs args)
   at Sitecore.Mvc.Filters.PipelineBasedRequestFilter.OnException(ExceptionContext exceptionContext)
   at System.Web.Mvc.ControllerActionInvoker.InvokeExceptionFilters(ControllerContext controllerContext, IList`1 filters, Exception exception)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
   at Sitecore.Mvc.Controllers.SitecoreActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
   at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__19()
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass1.<MakeVoidDelegate>b__0()
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar)
   at Sitecore.Mvc.Routing.RouteHttpHandler.EndProcessRequest(IAsyncResult result)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Nested Exception
Exception: System.Web.HttpException
Message: Server cannot set content type after HTTP headers have been sent.

Thanks,

Mike

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎08-17-2015 10:22 AM

How about this regex:

(?s)Nested Exception.+Exception:\s+(?<nested_exception>[^\n]*)

View solution in original post

Reply
Solved! Jump to solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎08-17-2015 10:40 AM

There are multiple ways to do this. Here is another:

Nested\s+Exception(?:[\r\n]).+?Exception:\s+(?<exception>.+)(?:[\r\n]).+?Message\:\s+(?<message>.+)

alt text

Preview file
162 KB
Reply
Solved! Jump to solution

mshea
New Member
‎08-17-2015 02:51 PM

I used this example to output 3 valuable fields including the callstack which includes the line of source.

(?s)Nested Exception.+Exception:\s+(?[^\n]*)\s*Message:\s(?.*)Source:\s(?.*\:line.{4})

Thanks!

0 Karma
Reply
Solved! Jump to solution

Gilberto_Castil
Splunk Employee
Splunk Employee
‎08-17-2015 02:53 PM

Very cool. Happy Splunking!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2015 10:28 AM

This regex string will extract the exception and message texts from your sample data, assuming it is all in a single event.

Nested Exception\n*\s*Exception: (?P<exception>.*$)\n*\s*Message: (?P<message>.*)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mshea
New Member
‎08-17-2015 02:53 PM

I could not get this to match.
One of my tools gave an error on this: P.*$ saying it was illegal group syntax.

Thanks for sending!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-17-2015 03:41 PM

It worked on regex101.com. Try removing the '$' as it should match with or without it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎08-17-2015 10:22 AM

How about this regex:

(?s)Nested Exception.+Exception:\s+(?<nested_exception>[^\n]*)
Reply
Solved! Jump to solution

mshea
New Member
‎08-17-2015 02:46 PM

Thanks for sending. I could not get a match for this on regex101.com or regexr.com. I will try to see what needs modification.

0 Karma
Reply
Solved! Jump to solution

mshea
New Member
‎08-17-2015 02:49 PM

Actually, I mispoke, this does match.

Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...