Re: Logs between "string1" and "string2"

VS0909 · ‎09-03-2021

I have to find logs between "string1" and "string2" in Splunk for index=abc. Then I need to verify if there is any "Error" or "Severe" word displayed in those logs.

Can someone please help with the Splunk query?

gcusello · ‎09-04-2021

Hi @VS0909,

as @shivanshu1593 said, we could be more precise having a sample of your logs, anyway, the regex to extract a field between two strings it's easy:

| rex "string1(?<your_field>.*)string2"

beware when you write the strings because regexes are case sensitive.

Ciao.

Giuseppe

VS0909 · ‎09-05-2021

@gcusello @shivanshu1593

Please find the below sample.

I want to extract the logs between "Abc fgh, app continuing" and "started in". If there are "ERROR" or "SEVERE" keywords in the extracted logs, then I want to print that "ERROR" or "SEVERE" line.

2021-08-31 02:03:52,081 INFO [stdout] jkwqdwqjdk
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83) Abc fgh, app continuing
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)

2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)kwqskqw
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)
2021-08-31 02:03:52,081 INFO [org.kjskj.akjs] (ServerService Thread Pool -- 11) WFLYUT0021: Registered web context: '/dyn' for server 'default-server'
2021-08-31 02:03:52,081 ERROR [org.kjskj.akjs] "There is an error"
2021-08-31 02:03:52,081 SEVERE [org.kjskj.akjs] There is Severe
2021-08-31 02:03:55,166 INFO [org.jboss.as] (Controller Boot Thread) WAAAAAA0033: JBoss EAP 1.1.9.GA (abcfegc Core 2.0.10.Final-call-00000) started in 169999ms - Started 2222 of 2222 services (311 services are lazy, passive or on-demand)
2021-08-31 02:03:55,169 INFO [org.jboss.as] (aa nnnThread) WAAAAAA0033: Http interface listening on http://111.11.11.11:8080/aaa
2021-08-31 02:03:55,169 INFO [org.nnn.as] (ioio llkl Thread) WAAAAAA0033: console listening on http://111.11.11.11:8080/aaa

Appreciate your help.

gcusello · ‎09-06-2021

Hi @VS0909,

viewing you logs, it's a different situation: you don't need a regex to extract a field, you need to correlate many events!

Anyway, try something like this:

index=your_index
| transaction startswith="Abc fgh, app continuing" endswith="started in"
| rex "(?<error_level>ERROR|SEVERE)"
| table _time error_level

Ciao.

Giuseppe

VS0909 · ‎09-06-2021

@gcusello Thanks for the reply

I also want to print the line in the extracted Error or SEVERE line.

Can you pls help with that.

gcusello · ‎09-06-2021

Hi @VS0909,

ok, please try this:

index=your_index
| transaction startswith="Abc fgh, app continuing" endswith="started in"
| rex "^(?<event>\d+-\d+-\d+\s+\d+:\d+:\d+,\d+\s(ERROR|SEVERE).*)"
| table _time event

you can test the regex at https://regex101.com/r/oid94M/1

If you want also the error level and the timestamp of the single event, you can use another regex to extract them.

Ciao.

Giuseppe

shivanshu1593 · ‎09-03-2021

Hello @VS0909 ,

Could you share some sample data and desired output as to what you're expecting. We can help to build the query.

Thank you,

So

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Logs between "string1" and "string2"

count

eval

fields

regex

stats

subsearch

timechart

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services