Splunk Search

Regex to return full string or string untill first match of :

pradjswl
Explorer

My raw data is in the format
Sample 1)

[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is:gndrgnkjhkjhk:frnfer gnerg : trentertj gelkdjngodg gldkrjgld:

sample 2)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

sample 3)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

error log continue after new line.

Anything after 7th ] have the error description. I would like the regex to return
1) string until first match of : character
2) if string doesnt have : character then return string until new line \n character
3) if there are no : or new line then return complete string

I'm trying (?:\].*?){7}\s-\s(?P\.*)[\n\:]? but it doesn't seems to be working

Appreciate your suggestion.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

This should do it

(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)

in search

.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

This should do it

(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)

in search

.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"

pradjswl
Explorer

@somesoni2 excellent, worked like a charm. Thank you so much

0 Karma

niketn
Legend

alt textBased on the three samples provided, I could extract following meaningful information from your logs (ComponentName and ObjectName may be the same). In your Data ComponentName ObjectName and ModuleName are same for all three examples. So, you can replace these with actual text from your log and extract Reason which seems to be the only field you might be interested in based on your question. PS I have tested on Regex101.

\[(?<ComponentName>\w+)\]\s\-\sError Occured in method (?<ObjectName>\w+)\.(?<ModuleName>\w+) and the exception is(?<Reason>.*)

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pradjswl
Explorer

@niketnilay Thanks for the quick response. Those were just three different version of the same log to calrify how would log look like with respect to position of ':' or new line.

The content 'Error Occurred in method' & 'and the exception is' keeps on changing for every log.
I am sorry If my sample pattern looks similar. I would extracting the intrested firled into only one filed, either it should specify criteria 1. if 1 is not satisfied then it would look for 2nd else 3rd.

0 Karma

niketn
Legend

Can you try this

 \[(?<ComponentName>\w+)\]\s\-\s(?<Error>[\w|\s]+)\.(?<Reason>[\w|\s|:]+)

Alternatively can you try Splunk Field extraction for specific scenario and let Splunk come up with the extraction. You can include non-matches and also remove incorrect match through interactive field extraction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...