Splunk Search

Regex to return full string or string untill first match of :

pradjswl
Explorer

My raw data is in the format
Sample 1)

[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is:gndrgnkjhkjhk:frnfer gnerg : trentertj gelkdjngodg gldkrjgld:

sample 2)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

sample 3)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

error log continue after new line.

Anything after 7th ] have the error description. I would like the regex to return
1) string until first match of : character
2) if string doesnt have : character then return string until new line \n character
3) if there are no : or new line then return complete string

I'm trying (?:\].*?){7}\s-\s(?P\.*)[\n\:]? but it doesn't seems to be working

Appreciate your suggestion.

0 Karma
1 Solution

somesoni2
Revered Legend

This should do it

(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)

in search

.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"

View solution in original post

somesoni2
Revered Legend

This should do it

(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)

in search

.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"

pradjswl
Explorer

@somesoni2 excellent, worked like a charm. Thank you so much

0 Karma

niketn
Legend

alt textBased on the three samples provided, I could extract following meaningful information from your logs (ComponentName and ObjectName may be the same). In your Data ComponentName ObjectName and ModuleName are same for all three examples. So, you can replace these with actual text from your log and extract Reason which seems to be the only field you might be interested in based on your question. PS I have tested on Regex101.

\[(?<ComponentName>\w+)\]\s\-\sError Occured in method (?<ObjectName>\w+)\.(?<ModuleName>\w+) and the exception is(?<Reason>.*)

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pradjswl
Explorer

@niketnilay Thanks for the quick response. Those were just three different version of the same log to calrify how would log look like with respect to position of ':' or new line.

The content 'Error Occurred in method' & 'and the exception is' keeps on changing for every log.
I am sorry If my sample pattern looks similar. I would extracting the intrested firled into only one filed, either it should specify criteria 1. if 1 is not satisfied then it would look for 2nd else 3rd.

0 Karma

niketn
Legend

Can you try this

 \[(?<ComponentName>\w+)\]\s\-\s(?<Error>[\w|\s]+)\.(?<Reason>[\w|\s|:]+)

Alternatively can you try Splunk Field extraction for specific scenario and let Splunk come up with the extraction. You can include non-matches and also remove incorrect match through interactive field extraction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...