How to use a part of a string in an event as a val...

ragow · ‎02-04-2019

"2018-10-30 05:11:35,659 AM|ERROR|(null)|(null)|(null)|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction........."

I want to extract the text "System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'." and make it as an interesting field.
When I used Delimiter method (Used Pipe to separate the texts) to extract the field, it displays all the 33 lines. But I want just the first line to be displayed as Value

For example,

I want a field called "Exception_type" and it should have values as the above text "|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.".

Can you please help me on it

Thanks

vinod94 · ‎02-12-2019

@ragow ,

you can try this also,

 rex  "ERROR\|\(null\)\|\(null\)\|\(null\)\|(?P<execution_type>.+)."

woodcock · ‎02-12-2019

Like this:

... | rex "^(?:[^\|]+\|){5}(?<Exception_type>[^\r\n]+?)\s+at\s+)"

renjith_nair · ‎02-04-2019

@ragow ,

Try

ERROR\|.+?\|.+?\|.+?\|(?<Exception_type>.+)\n

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to use a part of a string in an event as a value and make it as an interesting field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to use a part of a string in an event as a value and make it as an interesting field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem