Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex works inline search but not as field extraction...

snoobzilla
Builder
‎07-08-2014 03:27 PM

I have a regex I am using to extract exception from a java stacktrace to get for error analysis. It would be much better to do this as a configured field extract so I can use it in lookups instead of instead of embedding it in my growing base macro. Any help would be appreciated, thanks in advance.

PS... I am a support power user not an admin so what I do is through splunk web, though I can get changes made if I know what to ask for.

In splunk web for field extractions I have this set up... it does NOT work here.

Build id: .*\n(?P<EXCEPTION5>[^\n\t,^\r,^0-9,^=]+)

However, in an inline search of the same events it works... to pull 

"com.X.service.concurrent.exception.ServiceCallException"

using

| rex "Build id: .*\n(?P<EXCEPTION5>[^\n\t,^\r,^0-9,^=]+)"

FROM this event...

ERROR 2014-07-08 17:39:53,484 buildId:X uid:X uiTimingId:InitialStartup-X cid:X clientId:X clientCAID:00JD49W7HBZSZ8S9DYLI {[ACTIVE] ExecuteThread: '223' for queue: 'weblogic.kernel.Default (self-tuning)'} [uiError.critical] clientId:weberr:framework.Err100.message weberrmsg:Uncaught exception during remote object call: X.Y()
Correlation id: 0000000000000000000000000bd910ac-5ab9-53bc6526-836b3940-5513668b5113
Build id: NR_PNG_BUILD_201406271012_RC_RTC-png2014-jun_42
com.X.service.concurrent.exception.ServiceCallException
    at com.X.xml.X.X.locking.v1.ws.concurrent.LockClientResponseCall.getResponseObjLockClientResponse(LockClientResponseCall.java:64)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2014 03:53 PM

Make sure you've added the field extraction to the correct sourcetype and app. The regex in and of itself seems okay, albeit very messy - you may want to simplify to this: Build id:[^\r\n]+[\r\n]+(?<EXCEPTION5>\S+)

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2014 03:53 PM

Make sure you've added the field extraction to the correct sourcetype and app. The regex in and of itself seems okay, albeit very messy - you may want to simplify to this: Build id:[^\r\n]+[\r\n]+(?<EXCEPTION5>\S+)

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-09-2014 10:44 AM

You can click the check mark to the left of the answer to do that.

Reply
Solved! Jump to solution

snoobzilla
Builder
‎07-09-2014 07:18 AM

Not sure how to mark this answered, but thank you martin! This helped me embed a complex autolookup that will be very useful across my organization.

0 Karma
Reply
Solved! Jump to solution

snoobzilla
Builder
‎07-09-2014 07:14 AM

Simplifying the regex worked. Thanks!

I was on correct sourcetype and app.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...