Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hyperion Logs - How to extract a particular value from Log

avaishsplunk
Path Finder
‎02-15-2017 09:21 PM

My events are in the below format in splunk:

[Wed Feb 15 16:41:07 2017]Local/ESSBASE0///139702560335616/Error(1040065)
Protocol mismatch may occur if a client other than an Essbase Client tries to access Essbase or if the packet is corrupted.

How shall i parse this log so that i can extract the error code as 1040065 and or if i want to extract other values.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎02-15-2017 09:27 PM

You don't need to do anything with this log at parsing time. To extract the error code at search time, you can use the Field Extractor to create the error code field. Or you could just put the following in props.conf on the search head.

[hyperion]
EXTRACT-ec = Error\((?<error_code>\d+)\)

This assumes that the sourcetype for this input is "hyperion." I named the new field "error_code."

0 Karma
Reply

avaishsplunk
Path Finder
‎02-16-2017 05:58 PM

Hello Iguinn,

Thanks for your response, I have the below problem doing field extraction:

I have 3 events like below:

Event -1
[Thu Feb 16 15:38:19 2017]Local/ESSBASE0///140306130990848/Info(1051001) Received client request: Select Application/Database enter code here(from user [abc@aol.com]) Starting application MgmtRptg Environment variable [HYPERION_LOGHOME] is set - use it to define Log location folder. Log location is[/srv/essbase/Oracle/Middleware/user_projects/ESSBASE0/diagnostics/logs/essbase/essbase/app/MgmtRptg]. [JVM] Sun Microsystems Inc. [1.6.0_35] [JVM] Java HotSpot(TM) 64-Bit Server VM [20.10-b01] [JVM] Linux/amd64 [2.6.32-573.18.1.el6.x86_64] [JVM] Installing Java security manager

Event -2

[Thu Feb 16 15:38:18 2017]Local/ESSBASE0///140306127832832/Info(1051001) Received client request: Get Security Mode (from user [abc@aol.com])

Event -3
[Thu Feb 16 15:38:18 2017]Local/ESSBASE0///140306127832832/Info(1051187) Logging in user [abc@aol.com] from [10.12.65.71]enter code here

In each of the above events if you see I have user email, I want to filter the user email from the above type of events, I tried using rex but in some places I am getting the values fine but in some places I am getting null probably due to position differences, is there a better way to handle this

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...