Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Logs between "string1"  and  "string2"

VS0909
Communicator
‎09-03-2021 08:27 AM

I have to find logs between "string1"  and  "string2" in Splunk for index=abc. Then I need to verify if there is any "Error" or "Severe" word displayed in those logs.

Can someone please help with the Splunk query?

Labels (7)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-04-2021 02:14 AM

Hi @VS0909,

as @shivanshu1593 said, we could be more precise having a sample of your logs, anyway, the regex to extract a field between two strings it's easy:

| rex "string1(?<your_field>.*)string2"

beware when you write the strings because regexes are case sensitive.

Ciao.

Giuseppe

0 Karma
Reply

VS0909
Communicator
‎09-05-2021 11:02 PM

@gcusello  @shivanshu1593 

Please find the below sample.

I want to extract the logs between "Abc fgh, app continuing" and "started in". If there are "ERROR" or "SEVERE" keywords in the extracted logs, then I want to print that  "ERROR" or "SEVERE" line.

 

2021-08-31 02:03:52,081 INFO [stdout] jkwqdwqjdk
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83) Abc fgh, app continuing
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)

2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)kwqskqw
2021-08-31 02:03:52,081 INFO [stdout] (ServerService Thread Pool -- 83)
2021-08-31 02:03:52,081 INFO [org.kjskj.akjs] (ServerService Thread Pool -- 11) WFLYUT0021: Registered web context: '/dyn' for server 'default-server'
2021-08-31 02:03:52,081 ERROR [org.kjskj.akjs] "There is an error"
2021-08-31 02:03:52,081 SEVERE [org.kjskj.akjs] There is Severe
2021-08-31 02:03:55,166 INFO [org.jboss.as] (Controller Boot Thread) WAAAAAA0033: JBoss EAP 1.1.9.GA (abcfegc Core 2.0.10.Final-call-00000) started in 169999ms - Started 2222 of 2222 services (311 services are lazy, passive or on-demand)
2021-08-31 02:03:55,169 INFO [org.jboss.as] (aa nnnThread) WAAAAAA0033: Http interface listening on http://111.11.11.11:8080/aaa
2021-08-31 02:03:55,169 INFO [org.nnn.as] (ioio llkl Thread) WAAAAAA0033: console listening on http://111.11.11.11:8080/aaa

 

Appreciate your help.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2021 12:15 AM

Hi @VS0909,

viewing you logs, it's a different situation: you don't need a regex to extract a field, you need to correlate many events!

Anyway, try something like this:

index=your_index
| transaction startswith="Abc fgh, app continuing" endswith="started in"
| rex "(?<error_level>ERROR|SEVERE)"
| table _time error_level

Ciao.

Giuseppe

Reply

VS0909
Communicator
‎09-06-2021 01:05 AM

@gcusello  Thanks for the reply

I also want to print the line in the extracted Error or SEVERE line.

Can you pls help with that.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-06-2021 01:13 AM

Hi @VS0909,

ok, please try this:

index=your_index
| transaction startswith="Abc fgh, app continuing" endswith="started in"
| rex "^(?<event>\d+-\d+-\d+\s+\d+:\d+:\d+,\d+\s(ERROR|SEVERE).*)"
| table _time event

you can test the regex at https://regex101.com/r/oid94M/1

If you want also the error level and the timestamp of the single event, you can use another regex to extract them.

Ciao.

Giuseppe

Reply

shivanshu1593
Builder
‎09-03-2021 08:35 AM

Hello @VS0909 ,

Could you share some sample data and desired output as to what you're expecting. We can help to build the query.

Thank you,

So

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...