Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use a part of a string in an event as a value and make it as an interesting field

ragow
New Member
‎02-04-2019 10:10 PM

"2018-10-30 05:11:35,659 AM|ERROR|(null)|(null)|(null)|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction........."

This particular event contains 33 lines. All exceptions follow the same pattern i.e. "|ERROR|(null)|(null)|(null)|(Type of Exception)"

I want to extract the text "System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'." and make it as an interesting field.
When I used Delimiter method (Used Pipe to separate the texts) to extract the field, it displays all the 33 lines. But I want just the first line to be displayed as Value

For example,

I want a field called "Exception_type" and it should have values as the above text "|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.".

Can you please help me on it

Thanks

0 Karma
Reply

vinod94
Contributor
‎02-12-2019 10:27 PM

@ragow ,

you can try this also,

 rex  "ERROR\|\(null\)\|\(null\)\|\(null\)\|(?P<execution_type>.+)."
0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 01:12 AM

Like this:

... | rex "^(?:[^\|]+\|){5}(?<Exception_type>[^\r\n]+?)\s+at\s+)"
0 Karma
Reply

renjith_nair
Legend
‎02-04-2019 11:14 PM

@ragow ,

Try

ERROR\|.+?\|.+?\|.+?\|(?<Exception_type>.+)\n
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...