Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use a part of a string in an event as a value and make it as an interesting field

ragow
New Member
‎02-04-2019 10:10 PM

"2018-10-30 05:11:35,659 AM|ERROR|(null)|(null)|(null)|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction........."

This particular event contains 33 lines. All exceptions follow the same pattern i.e. "|ERROR|(null)|(null)|(null)|(Type of Exception)"

I want to extract the text "System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'." and make it as an interesting field.
When I used Delimiter method (Used Pipe to separate the texts) to extract the field, it displays all the 33 lines. But I want just the first line to be displayed as Value

For example,

I want a field called "Exception_type" and it should have values as the above text "|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.".

Can you please help me on it

Thanks

0 Karma
Reply

vinod94
Contributor
‎02-12-2019 10:27 PM

@ragow ,

you can try this also,

 rex  "ERROR\|\(null\)\|\(null\)\|\(null\)\|(?P<execution_type>.+)."
0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 01:12 AM

Like this:

... | rex "^(?:[^\|]+\|){5}(?<Exception_type>[^\r\n]+?)\s+at\s+)"
0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎02-04-2019 11:14 PM

@ragow ,

Try

ERROR\|.+?\|.+?\|.+?\|(?<Exception_type>.+)\n
Happy Splunking!
Reply
Get Updates on the Splunk Community!