Splunk Search

Hyperion Logs - How to extract a particular value from Log

Path Finder

My events are in the below format in splunk:

[Wed Feb 15 16:41:07 2017]Local/ESSBASE0///139702560335616/Error(1040065)
Protocol mismatch may occur if a client other than an Essbase Client tries to access Essbase or if the packet is corrupted.

How shall i parse this log so that i can extract the error code as 1040065 and or if i want to extract other values.

Tags (1)
0 Karma


You don't need to do anything with this log at parsing time. To extract the error code at search time, you can use the Field Extractor to create the error code field. Or you could just put the following in props.conf on the search head.

EXTRACT-ec = Error\((?<error_code>\d+)\)

This assumes that the sourcetype for this input is "hyperion." I named the new field "error_code."

0 Karma

Path Finder

Hello Iguinn,

Thanks for your response, I have the below problem doing field extraction:

I have 3 events like below:

Event -1
[Thu Feb 16 15:38:19 2017]Local/ESSBASE0///140306130990848/Info(1051001) Received client request: Select Application/Database enter code here(from user [abc@aol.com]) Starting application MgmtRptg Environment variable [HYPERION_LOGHOME] is set - use it to define Log location folder. Log location is[/srv/essbase/Oracle/Middleware/user_projects/ESSBASE0/diagnostics/logs/essbase/essbase/app/MgmtRptg]. [JVM] Sun Microsystems Inc. [1.6.0_35] [JVM] Java HotSpot(TM) 64-Bit Server VM [20.10-b01] [JVM] Linux/amd64 [2.6.32-573.18.1.el6.x86_64] [JVM] Installing Java security manager

Event -2

[Thu Feb 16 15:38:18 2017]Local/ESSBASE0///140306127832832/Info(1051001) Received client request: Get Security Mode (from user [abc@aol.com])

Event -3
[Thu Feb 16 15:38:18 2017]Local/ESSBASE0///140306127832832/Info(1051187) Logging in user [abc@aol.com] from []enter code here

In each of the above events if you see I have user email, I want to filter the user email from the above type of events, I tried using rex but in some places I am getting the values fine but in some places I am getting null probably due to position differences, is there a better way to handle this


0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...