Splunk Search

Need help with REX and Panels

karanvirsharma
New Member

Hi, I am newbie to Splunk.
Here's some of my sample logs, where I need to count the number of occurrences for each of these exceptions. Also I would like to build a Panel that gives me these Unique (in Bold below) occurrences.

org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

DEBUG org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'West Virginia Mountaineer No Color Yth XL Youth Girls CO3 Judo Flee' with length = '67' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

This is what I have written so far:

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)"  | timechart span=1d count by to

The problem that I have is when I put it in Panel, event though it shows the counts but it still shows "Count" as NULL and when I try to drill through it, it doesn't show any logs (until I clear out the bold text below)

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)"  | **search to=NULL**

alt text

So please help me how can I find all these unique "exception strings" and also how can I make sure that my count doesn't show Null and when I click on the drill through in panel the search works fine.

0 Karma

gokadroid
Motivator

Assuming your intention was to catch the red pieces from this log line:

org.xml.sax.SAXParseException: cvc-maxLength-valid: Value Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

How about you give this a try so that first text of interest gets caught in field from and second text of interest gets caught in field to, as is done in below query:

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" 
| rex field=_raw ".*cvc-maxLength-valid:\sValue\s(?<from>.*)\sis not facet-valid with respect to maxLength '65'for type (?<to>.*)"
| timechart span=1d count by to useother=f usenull=f

Hope it helps! See extration here

0 Karma

beatus
Communicator

karanvirsharma,
You have three options here:

  1. Make that rex a field extract. You can do this by adding it to props.conf under that sourcetype as such: props.conf

[my_sourcetype]
EXTRACT-from_to = SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?.*) is not facet-valid with respect to maxLength '65'(?.*)

This will cause the field to be automatically extracted.
2. Replace your < and > with the encoded version (< == &lt; and > == &gt;)
3. Utilize CDATA for the search in the XML:

<param name="search"><![CDATA[ index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)" | timechart span=1d count by to]]></param>

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...