Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use a part of a string in an event as a value and make it as an interesting field

ragow
New Member
‎02-04-2019 10:10 PM

"2018-10-30 05:11:35,659 AM|ERROR|(null)|(null)|(null)|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction........."

This particular event contains 33 lines. All exceptions follow the same pattern i.e. "|ERROR|(null)|(null)|(null)|(Type of Exception)"

I want to extract the text "System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'." and make it as an interesting field.
When I used Delimiter method (Used Pipe to separate the texts) to extract the field, it displays all the 33 lines. But I want just the first line to be displayed as Value

For example,

I want a field called "Exception_type" and it should have values as the above text "|System.Data.SqlClient.SqlException (0x80131904): Invalid column name 'GRP10227'.".

Can you please help me on it

Thanks

0 Karma
Reply

vinod94
Contributor
‎02-12-2019 10:27 PM

@ragow ,

you can try this also,

 rex  "ERROR\|\(null\)\|\(null\)\|\(null\)\|(?P<execution_type>.+)."
0 Karma
Reply

woodcock
Esteemed Legend
‎02-12-2019 01:12 AM

Like this:

... | rex "^(?:[^\|]+\|){5}(?<Exception_type>[^\r\n]+?)\s+at\s+)"
0 Karma
Reply

renjith_nair
Legend
‎02-04-2019 11:14 PM

@ragow ,

Try

ERROR\|.+?\|.+?\|.+?\|(?<Exception_type>.+)\n
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...