Splunk Search
Highlighted

Regex to return full string or string untill first match of :

Explorer

My raw data is in the format
Sample 1)

[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is:gndrgnkjhkjhk:frnfer gnerg : trentertj gelkdjngodg gldkrjgld:

sample 2)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

sample 3)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

error log continue after new line.

Anything after 7th ] have the error description. I would like the regex to return
1) string until first match of : character
2) if string doesnt have : character then return string until new line \n character
3) if there are no : or new line then return complete string

I'm trying (?:\].*?){7}\s-\s(?P\.*)[\n\:]? but it doesn't seems to be working

Appreciate your suggestion.

0 Karma
Highlighted

Re: Regex to return full string or string untill first match of :

Legend

alt textBased on the three samples provided, I could extract following meaningful information from your logs (ComponentName and ObjectName may be the same). In your Data ComponentName ObjectName and ModuleName are same for all three examples. So, you can replace these with actual text from your log and extract Reason which seems to be the only field you might be interested in based on your question. PS I have tested on Regex101.

\[(?<ComponentName>\w+)\]\s\-\sError Occured in method (?<ObjectName>\w+)\.(?<ModuleName>\w+) and the exception is(?<Reason>.*)

alt text




| eval message="Happy Splunking!!!"


Highlighted

Re: Regex to return full string or string untill first match of :

Explorer

@niketnilay Thanks for the quick response. Those were just three different version of the same log to calrify how would log look like with respect to position of ':' or new line.

The content 'Error Occurred in method' & 'and the exception is' keeps on changing for every log.
I am sorry If my sample pattern looks similar. I would extracting the intrested firled into only one filed, either it should specify criteria 1. if 1 is not satisfied then it would look for 2nd else 3rd.

0 Karma
Highlighted

Re: Regex to return full string or string untill first match of :

Legend

Can you try this

 \[(?<ComponentName>\w+)\]\s\-\s(?<Error>[\w|\s]+)\.(?<Reason>[\w|\s|:]+)

Alternatively can you try Splunk Field extraction for specific scenario and let Splunk come up with the extraction. You can include non-matches and also remove incorrect match through interactive field extraction.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Regex to return full string or string untill first match of :

SplunkTrust
SplunkTrust

This should do it

(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)

in search

.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"

View solution in original post

Highlighted

Re: Regex to return full string or string untill first match of :

Explorer

@somesoni2 excellent, worked like a charm. Thank you so much

0 Karma