My raw data is in the format
Sample 1)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is:gndrgnkjhkjhk:frnfer gnerg : trentertj gelkdjngodg gldkrjgld:
sample 2)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input
sample 3)
[02-10-2017_13:11:10.973_PST] [ERROR] - [kH8p2xg4k-] [user@ABCmail.com] [] [shared] [BilledWirelessEquipmentChargesAlertHandler] - Error Occured in method BilledWirelessEquipmentChargesAlertHandler.executeHandler and the exception is invalid input
error log continue after new line.
Anything after 7th ]
have the error description. I would like the regex to return
1) string until first match of :
character
2) if string doesnt have :
character then return string until new line \n character
3) if there are no :
or new line then return complete string
I'm trying (?:\].*?){7}\s-\s(?P\.*)[\n\:]?
but it doesn't seems to be working
Appreciate your suggestion.
This should do it
(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)
in search
.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"
This should do it
(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)
in search
.... | rex "(([^\]]+\]){7})\s+-\s+(?<ErrorMessage>[^:\r\n]+)"
@somesoni2 excellent, worked like a charm. Thank you so much
Based on the three samples provided, I could extract following meaningful information from your logs (ComponentName and ObjectName may be the same). In your Data ComponentName ObjectName and ModuleName are same for all three examples. So, you can replace these with actual text from your log and extract Reason which seems to be the only field you might be interested in based on your question. PS I have tested on Regex101.
\[(?<ComponentName>\w+)\]\s\-\sError Occured in method (?<ObjectName>\w+)\.(?<ModuleName>\w+) and the exception is(?<Reason>.*)
@niketnilay Thanks for the quick response. Those were just three different version of the same log to calrify how would log look like with respect to position of ':' or new line.
The content 'Error Occurred in method' & 'and the exception is' keeps on changing for every log.
I am sorry If my sample pattern looks similar. I would extracting the intrested firled into only one filed, either it should specify criteria 1. if 1 is not satisfied then it would look for 2nd else 3rd.
Can you try this
\[(?<ComponentName>\w+)\]\s\-\s(?<Error>[\w|\s]+)\.(?<Reason>[\w|\s|:]+)
Alternatively can you try Splunk Field extraction for specific scenario and let Splunk come up with the extraction. You can include non-matches and also remove incorrect match through interactive field extraction.