Splunk Search

Regex to return full string or string untill first match of :

pradjswl
Explorer

My raw data is in the format
Sample 1)

[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is:gndrgnkjhkjhk:frnfer gnerg : trentertj gelkdjngodg gldkrjgld:

sample 2)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

sample 3)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input

error log continue after new line.

Anything after 7th ] have the error description. I would like the regex to return
1) string until first match of : character
2) if string doesnt have : character then return string until new line \n character
3) if there are no : or new line then return complete string

I'm trying (?:\].*?){7}\s-\s(?P\.*)[\n\:]? but it doesn't seems to be working

Appreciate your suggestion.

0 Karma
1 Solution

somesoni2
Revered Legend

This should do it

(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)

in search

.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"

View solution in original post

somesoni2
Revered Legend

This should do it

(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)

in search

.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"

pradjswl
Explorer

@somesoni2 excellent, worked like a charm. Thank you so much

0 Karma

niketn
Legend

alt textBased on the three samples provided, I could extract following meaningful information from your logs (ComponentName and ObjectName may be the same). In your Data ComponentName ObjectName and ModuleName are same for all three examples. So, you can replace these with actual text from your log and extract Reason which seems to be the only field you might be interested in based on your question. PS I have tested on Regex101.

\[(?<ComponentName>\w+)\]\s\-\sError Occured in method (?<ObjectName>\w+)\.(?<ModuleName>\w+) and the exception is(?<Reason>.*)

alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pradjswl
Explorer

@niketnilay Thanks for the quick response. Those were just three different version of the same log to calrify how would log look like with respect to position of ':' or new line.

The content 'Error Occurred in method' & 'and the exception is' keeps on changing for every log.
I am sorry If my sample pattern looks similar. I would extracting the intrested firled into only one filed, either it should specify criteria 1. if 1 is not satisfied then it would look for 2nd else 3rd.

0 Karma

niketn
Legend

Can you try this

 \[(?<ComponentName>\w+)\]\s\-\s(?<Error>[\w|\s]+)\.(?<Reason>[\w|\s|:]+)

Alternatively can you try Splunk Field extraction for specific scenario and let Splunk come up with the extraction. You can include non-matches and also remove incorrect match through interactive field extraction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...