Splunk Search

Pick up the first occurrence of a word

jw44250
New Member

I want to pick only the first occurrence of word .

index = index1 ERROR

Event Result

2017-04-29T18:29:27.246+0000
message test error
testError
requestURl="home/testError"

But I am only interested the word Error, I thought i could with case insenstive search but it is not correct options or != operators this is may too dangerous might lose some other events

0 Karma

danielsofoulis
Path Finder

Try this

index=index1 | rex field=requestURl \w+\/test(?<error>Error) | fields error
0 Karma

somesoni2
SplunkTrust
SplunkTrust

If the location of word ERROR (I'm assuming it's the one that appears after the timestamp) is the filter criteria, try like this

index=index1 ERROR | regex _raw="^\S+\s+ERROR.+"

jw44250
New Member

it works Thanks, but i'm interested only the first occurrence for the word error but not the rest

Log Sample

Line 1 --> 2017-04-29T18:29:27.246+0000
Line 2 -- >message test error
Line 3 --> testError
Line 4 -->requestURl="home/testError"

Only want Line 2 Error which is the first appears of "ERROR"

I used this command and it work but still i can see it select all error of the same event

index = index1 "ERROR"
| regex _raw="\bError\b"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So do you've multiline events (field linecount>1)? If yes, then is there any rule that 'only select the events which has error word in line 2' or something similar? What should happen if instead of line 2 line 3 has word error?

0 Karma

jw44250
New Member

As soon as i see the error i want to stop, it doensn't matter it is in line 1,2 03, etc. it can any where the event.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What you want to do after you picked that first Error word? You want to extract any field value around it?

0 Karma

jw44250
New Member

I dont want to extract to any field, but im interested the whole _raw data

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I think you've got what he means.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

updated 8:00 PM CDT (Central US Daylight Savings TIme)

This should select the first line that has the word "error" in any case, anywhere in the line in it.

index = index1 "ERROR"
| rex field=_raw "(?im)^(?<theline>.*error.*)$"
| table _time theline
0 Karma

jw44250
New Member

hi,

it didnt work , getting error
Error in 'SearchOperator:regex': Usage: regex (=|!=)

and ERROR is not a field

0 Karma

jw44250
New Member

Sample Event Result 1:
2017-04-15T19:19:51.669+0000 ERROR
unknown error..........................
ERROR
....................................requestURI="url/test.error"
.............something happened error

I am interested only the very first appearance of the Error in the row data

Not sure if it correct : getting actual result but it selects every error sample Event Result 1
index= index1 ERROR | regex _raw="\bERROR\b"

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

corrected grammar, try again.

0 Karma

niketn
Legend

Do you intend to perform case sensitive search? You can add the following to your base search CASE("*Error")

https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jw44250
New Member

not really,

I am interested only in the first occurance of the word error and error is not a field.

0 Karma

jw44250
New Member

it would be helpful int the future

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...