Pick up the first occurrence of a word

jw44250 · ‎05-02-2017

I want to pick only the first occurrence of word .

index = index1 ERROR

Event Result

2017-04-29T18:29:27.246+0000
message test error
testError
requestURl="home/testError"

But I am only interested the word Error, I thought i could with case insenstive search but it is not correct options or != operators this is may too dangerous might lose some other events

danielsofoulis · ‎05-02-2017

Try this

index=index1 | rex field=requestURl \w+\/test(?<error>Error) | fields error

somesoni2 · ‎05-02-2017

If the location of word ERROR (I'm assuming it's the one that appears after the timestamp) is the filter criteria, try like this

index=index1 ERROR | regex _raw="^\S+\s+ERROR.+"

jw44250 · ‎05-02-2017

it works Thanks, but i'm interested only the first occurrence for the word error but not the rest

Log Sample

Line 1 --> 2017-04-29T18:29:27.246+0000
Line 2 -- >message test error
Line 3 --> testError
Line 4 -->requestURl="home/testError"

Only want Line 2 Error which is the first appears of "ERROR"

I used this command and it work but still i can see it select all error of the same event

index = index1 "ERROR"
| regex _raw="\bError\b"

somesoni2 · ‎05-02-2017

So do you've multiline events (field linecount>1)? If yes, then is there any rule that 'only select the events which has error word in line 2' or something similar? What should happen if instead of line 2 line 3 has word error?

jw44250 · ‎05-02-2017

As soon as i see the error i want to stop, it doensn't matter it is in line 1,2 03, etc. it can any where the event.

somesoni2 · ‎05-02-2017

What you want to do after you picked that first Error word? You want to extract any field value around it?

jw44250 · ‎05-02-2017

I dont want to extract to any field, but im interested the whole _raw data

DalJeanis · ‎05-02-2017

I think you've got what he means.

DalJeanis · ‎05-02-2017

updated 8:00 PM CDT (Central US Daylight Savings TIme)

This should select the first line that has the word "error" in any case, anywhere in the line in it.

index = index1 "ERROR"
| rex field=_raw "(?im)^(?<theline>.*error.*)$"
| table _time theline

jw44250 · ‎05-02-2017

hi,

it didnt work , getting error
Error in 'SearchOperator:regex': Usage: regex (=|!=)

and ERROR is not a field

jw44250 · ‎05-02-2017

Sample Event Result 1:
2017-04-15T19:19:51.669+0000 ERROR
unknown error..........................
ERROR
....................................requestURI="url/test.error"
.............something happened error

I am interested only the very first appearance of the Error in the row data

Not sure if it correct : getting actual result but it selects every error sample Event Result 1
index= index1 ERROR | regex _raw="\bERROR\b"

DalJeanis · ‎05-02-2017

corrected grammar, try again.

niketn · ‎05-02-2017

Do you intend to perform case sensitive search? You can add the following to your base search CASE("*Error")

https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jw44250 · ‎05-02-2017

not really,

I am interested only in the first occurance of the word error and error is not a field.

jw44250 · ‎05-02-2017

it would be helpful int the future

Pick up the first occurrence of a word

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?