Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Hyperion Logs - How to extract a particular value from Log

avaishsplunk
Path Finder
‎02-15-2017 09:21 PM

My events are in the below format in splunk:

[Wed Feb 15 16:41:07 2017]Local/ESSBASE0///139702560335616/Error(1040065)
Protocol mismatch may occur if a client other than an Essbase Client tries to access Essbase or if the packet is corrupted.

How shall i parse this log so that i can extract the error code as 1040065 and or if i want to extract other values.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎02-15-2017 09:27 PM

You don't need to do anything with this log at parsing time. To extract the error code at search time, you can use the Field Extractor to create the error code field. Or you could just put the following in props.conf on the search head.

[hyperion]
EXTRACT-ec = Error\((?<error_code>\d+)\)

This assumes that the sourcetype for this input is "hyperion." I named the new field "error_code."

0 Karma
Reply

avaishsplunk
Path Finder
‎02-16-2017 05:58 PM

Hello Iguinn,

Thanks for your response, I have the below problem doing field extraction:

I have 3 events like below:

Event -1
[Thu Feb 16 15:38:19 2017]Local/ESSBASE0///140306130990848/Info(1051001) Received client request: Select Application/Database enter code here(from user [abc@aol.com]) Starting application MgmtRptg Environment variable [HYPERION_LOGHOME] is set - use it to define Log location folder. Log location is[/srv/essbase/Oracle/Middleware/user_projects/ESSBASE0/diagnostics/logs/essbase/essbase/app/MgmtRptg]. [JVM] Sun Microsystems Inc. [1.6.0_35] [JVM] Java HotSpot(TM) 64-Bit Server VM [20.10-b01] [JVM] Linux/amd64 [2.6.32-573.18.1.el6.x86_64] [JVM] Installing Java security manager

Event -2

[Thu Feb 16 15:38:18 2017]Local/ESSBASE0///140306127832832/Info(1051001) Received client request: Get Security Mode (from user [abc@aol.com])

Event -3
[Thu Feb 16 15:38:18 2017]Local/ESSBASE0///140306127832832/Info(1051187) Logging in user [abc@aol.com] from [10.12.65.71]enter code here

In each of the above events if you see I have user email, I want to filter the user email from the above type of events, I tried using rex but in some places I am getting the values fine but in some places I am getting null probably due to position differences, is there a better way to handle this

Regards

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...