Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use a part of a string in an event as a value and make it as an interesting field

ragow
New Member
‎02-04-2019 10:10 PM

"2018-10-30 05:11:35,659 AM|ERROR|(null)|(null)|(null)|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction........."

This particular event contains 33 lines. All exceptions follow the same pattern i.e. "|ERROR|(null)|(null)|(null)|(Type of Exception)"

I want to extract the text "System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'." and make it as an interesting field.
When I used Delimiter method (Used Pipe to separate the texts) to extract the field, it displays all the 33 lines. But I want just the first line to be displayed as Value

For example,

I want a field called "Exception_type" and it should have values as the above text "|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.".

Can you please help me on it

Thanks

0 Karma
Reply

vinod94
Contributor
‎02-12-2019 10:27 PM

@ragow ,

you can try this also,

 rex  "ERROR\|\(null\)\|\(null\)\|\(null\)\|(?P<execution_type>.+)."
0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 01:12 AM

Like this:

... | rex "^(?:[^\|]+\|){5}(?<Exception_type>[^\r\n]+?)\s+at\s+)"
0 Karma
Reply

renjith_nair
Legend
‎02-04-2019 11:14 PM

@ragow ,

Try

ERROR\|.+?\|.+?\|.+?\|(?<Exception_type>.+)\n
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...