Splunk Search

How to handle parentheses with REGEX in transforms.config as part of a multiline search

New Member

hello All - I have been struggling with a regex mystery that I cannot figure out, and am hoping for another perspective to help me solve this riddle!

I have a stacktrace that is being treated as a multiline event. I am trying to identify a regex pattern in transforms.config that will allow me to extract a single line within the stracktrace, but apparently have run into trouble with properly accounting for the open parentheses.

Given this example, I am wanting to extract only the follow snippet in BOLD:

20160825 12:51:16 unhandled error from dispatcher, sender:System.Windows.Threading.Dispatcher
System.NullReferenceException: Object reference not set to an instance of an object.
at SOURCE_B.Windows.Controls.PivotGrid.PivotGridGroupingBar.ShowFilterExecuted(Object sender, ExecutedRoutedEventArgs e)
at System.Windows.Input.CommandBinding.OnExecuted(Object sender, ExecutedRoutedEventArgs e)


(1)

REGEX = (?m)unhandled error.*(?(SOURCE_B|SOURCE_C)\D+)\s

this properly matches the start of the line I'm looking for...but it returns the rest of the stack trace as well.

Question #1: Why does it not match on \s when there is clearly whitespace throughout the stacktrace?


another observation:

(2)

REGEX = (?m)unhandled error.\*(?(SOURCE_B|SOURCE_C)\D+ShowFilterExecuted)

this extracts....

SOURCE_B.Windows.Controls.PivotGrid.PivotGridGroupingBar.ShowFilterExecuted

ok, got that. Yet...

REGEX = (?m)unhandled error.\*(?(SOURCE_B|SOURCE_C)\D+Object)

....extracts.....

SOURCE_B.Windows.Controls.PivotGrid.PivotGridGroupingBar.ShowFilterExecuted(Object sender, ExecutedRoutedEventArgs e)
at System.Windows.Input.CommandBinding.OnExecuted(Object sender, ExecutedRoutedEventArgs e)

Note this is the same regex pattern, the only difference is that "ShowFilterExecuted" is before the "(" and "Object" is after.

Question #2: what is it about the parentheses that is resulting in varying regex match results ????


There apparently is something about handling of parenths that I am not understanding. Per other posts, I have also tried to escape the open parenth like this, but it still does not match

REGEX = (?m)unhandled error.*(?(SOURCE_B|SOURCE_C)\D+\()   << single escape

REGEX = (?m)unhandled error.*(?(SOURCE_B|SOURCE_C)\D+\\()   << double escape, a recommendation from another post

Any suggestions on how to alter the regex to properly match the single line in question would be greatly appreciated !!!!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

This works with your sample event.

at (?<field>.*?)\n
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

This works with your sample event.

at (?<field>.*?)\n
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

thanks Rich, this worked!!!! I only wish I had posted this question earlier...it would have saved some trouble but I really wanted to understand this for myself 🙂 Previously I had tried...

(?<field>.*)\n

but the match did not pick up the end of line character. In studying your answer I think I've learned that I need to also quantify the end of line character in the matching pattern...else the matching will not "stop" with ".*"

thanks again!

0 Karma

Legend

How about this?

(?<data>SOURCE_[B|C][^\n]+)
0 Karma

New Member

this works sundareshr as well as rish's solution. thank you!

0 Karma