Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex to extract exceptionmessage

Bhuavana
Explorer
‎11-07-2014 02:34 AM

Hi,

I have five different types of exceptions and for that messages are logged as shown below :

ClientIp=065162175003 : - caught
com.wu.ws.WUWSException: WS000:WUWSException occured while executing the web service
at sun.reflect.GeneratedConstructorAccessor721

ClientIp=065162175003 : - caught
com.wu.ws.WUWSException: WS000:WUWSException occured while executing the web service
at

ClientIp=065162175003 : - Exception while getting fileApolloWhitelistedCredentials.properties ResourceHandler:getConfirationProperties()
java.io.FileNotFoundException: /apps/mobiliser5.1.0/02/money/conf/ApolloWhitelistedCredentials.properties (No such file or directory)
at
ClientIp=220227031066 : - caught
com.wu.ws.UserIDNotFoundException: W0334:The User Name you entered is incorrect. Please try again.
at

ClientIp=065162175003 : - caught
com.wu.ws.WUWSException: WS000:WUWSException occured while executing the web service
at

ClientIp=220227031066 : - caught
com.sybase365.mobiliser.custom.project.businesslogic.exceptions.WuCustomerLoginException: Failed to login through xx.com by identification: test@MAIINATOR.COM
at

Here i need extract the exception message alone in regex[ keeping ClientIp= as the front reference and at as the end reference- need to extract text between of that] using regex

Please let me know the regex query for the same

Tags (3)
0 Karma
Reply

aholzer
Motivator
‎11-07-2014 08:30 AM

Try this:

rex "(?P<exception_msg>ClientIp=\d{12} : - Exception [^\n]+? at)\n"

I've made a couple of assumptions:

  1. ClientIp= is always followed by exactly 12 digits
  2. That immediately after the ending "at" there is a new line
  3. You want to include both the strings "ClientIp" and "at" in your extraction

Hope this helps

0 Karma
Reply

Bhuavana
Explorer
‎11-10-2014 11:10 PM

Thanks for the update. With few modiifcations im able to fetch half of the message using below regex

| rex field=_raw "ClientIp=\d{12} : - (?(.)+[\n at])"

But above one is skipping message which is at next line.

Any idea how to fetch text at next line?

For ex:

In below log:

ClientIp=065162175003 : - Exception while getting fileApolloWhitelistedCredentials.properties
ResourceHandler:getConfirationProperties()
java.io.FileNotFoundException: /apps/mobiliser5.1.0/02/money/conf/ApolloWhitelistedCredentials.properties (No such file or directory)
at

With my above expression im able to get below text alone :

Exception while getting fileApolloWhitelistedCredentials.properties

But next line starting with ResourceHandler..... and java.io. is not extracted.

Please help to extract the same>?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2014 05:12 AM

It's not clear exactly what text you're trying to extract. Please tell what your expected output is.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Bhuavana
Explorer
‎11-10-2014 11:12 PM

I need to extract message like [for ex: Exception while getting fileApolloWhitelistedCredentials.properties ResourceHandler:getConfirationProperties()
java.io.FileNotFoundException: /apps/mobiliser5.1.0/02/money/conf/ApolloWhitelistedCredentials.properties (No such file or directory] from above logs.
Similar to above text, from above logs text which starts next to : - and ends at [at]

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...