Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show all message from certain log via rex?

ivana27
Path Finder
‎03-01-2021 11:47 PM

Hi dear Splunkers,

i have log like this :

2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 not dispensed for Carouserl_Error !!!

And i would like to display everything after [Error] **.

I tried like this but i got error:

| rex "\[Error\]\s**\s(?<message>)"

Please help

Thank you

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2021 11:52 PM 
| rex "\[Error\]\s\*\*\s(?<message>.*)"

View solution in original post

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2021 11:54 PM

@ivana27 

 

Can you please try this?

| rex "\[Error\]\s\*\*\s(?<message>.*)"


 Sample Search:

 

| makeresults 
| eval _raw="2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 not dispensed for Carouserl_Error !!!" 
| rex "\[Error\]\s\*\*\s(?<message>.*)"

 

Tags (1)
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2021 11:55 PM

oops.. late reply 🙂 

0 Karma
Reply
Solved! Jump to solution

ivana27
Path Finder
‎03-02-2021 12:13 AM

Thank you in any case 🙂

Do you know how to put messages from Error one after another and not in horizontal view?

@kamlesh_vaghela 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2021 12:22 AM

What delimits the parts of the message you want to separate?

0 Karma
Reply
Solved! Jump to solution

ivana27
Path Finder
‎03-02-2021 12:34 AM

Should be split by _time of log, should look like this

2021-02-12 00:35:20.820  [Error] ## sample1 bla bla bla
2021-02-12 00:35:20.836  [Information] sample2 bla bla bla
2021-02-12 00:35:30.731 [Information] sample3 bla bla bla
2021-02-12 00:35:31.429 [Information] sample4 bla bla bla
2021-02-12 00:35:31.506 [Error] ## sample5 bla bla bla
2021-02-12 00:35:31.519 [Error] ** sample6 bla bla bla

And now i have search like this which displays in same row:

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = Dummy" endswith="[Information] -- START TRANSACTION --"
| rex field=_raw "plate:(?<info>[^,]+)"
| rex "\[Error\]\s\*\*\s(?<message>.*)"
| rex "\[Error\]\s\##\sGet\sDuuno\sTransaction\s(?<tranok>.*)"
| rex "\[Error\]\s\CustNum:\s(?<customer>.*)"
| search "Get Transaction NOK --> Payment:OK"
| stats count by host _time tranok message customer info
| table _time host customer tranok message info

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-02-2021 12:19 AM
Can you please share your expected sample output. So I can help you..
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2021 11:52 PM 
| rex "\[Error\]\s\*\*\s(?<message>.*)"
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
li.common.scroll-to.top