Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show all message from certain log via rex?

ivana27
Path Finder
‎03-01-2021 11:47 PM

Hi dear Splunkers,

i have log like this :

2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 not dispensed for Carouserl_Error !!!

And i would like to display everything after [Error] **.

I tried like this but i got error:

| rex "\[Error\]\s**\s(?<message>)"

Please help

Thank you

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2021 11:52 PM 
| rex "\[Error\]\s\*\*\s(?<message>.*)"

View solution in original post

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2021 11:54 PM

@ivana27 

 

Can you please try this?

| rex "\[Error\]\s\*\*\s(?<message>.*)"


 Sample Search:

 

| makeresults 
| eval _raw="2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 not dispensed for Carouserl_Error !!!" 
| rex "\[Error\]\s\*\*\s(?<message>.*)"

 

Tags (1)
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2021 11:55 PM

oops.. late reply 🙂 

0 Karma
Reply
Solved! Jump to solution

ivana27
Path Finder
‎03-02-2021 12:13 AM

Thank you in any case 🙂

Do you know how to put messages from Error one after another and not in horizontal view?

@kamlesh_vaghela 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2021 12:22 AM

What delimits the parts of the message you want to separate?

0 Karma
Reply
Solved! Jump to solution

ivana27
Path Finder
‎03-02-2021 12:34 AM

Should be split by _time of log, should look like this

2021-02-12 00:35:20.820  [Error] ## sample1 bla bla bla
2021-02-12 00:35:20.836  [Information] sample2 bla bla bla
2021-02-12 00:35:30.731 [Information] sample3 bla bla bla
2021-02-12 00:35:31.429 [Information] sample4 bla bla bla
2021-02-12 00:35:31.506 [Error] ## sample5 bla bla bla
2021-02-12 00:35:31.519 [Error] ** sample6 bla bla bla

And now i have search like this which displays in same row:

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = Dummy" endswith="[Information] -- START TRANSACTION --"
| rex field=_raw "plate:(?<info>[^,]+)"
| rex "\[Error\]\s\*\*\s(?<message>.*)"
| rex "\[Error\]\s\##\sGet\sDuuno\sTransaction\s(?<tranok>.*)"
| rex "\[Error\]\s\CustNum:\s(?<customer>.*)"
| search "Get Transaction NOK --> Payment:OK"
| stats count by host _time tranok message customer info
| table _time host customer tranok message info

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-02-2021 12:19 AM
Can you please share your expected sample output. So I can help you..
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2021 11:52 PM 
| rex "\[Error\]\s\*\*\s(?<message>.*)"
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...