Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regular Expression to find the cases
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to find a set of Exception names from my events. Below are the sample text and its corresponding Regular expression which I am trying
Sample Text:
1. Caused by: javax.transaction.TransactionRolledbackException:
2. Caused by: com.gtnexus.database.exception.NoEntryAffectedException:
Expression used:
rex field=_raw "Caused by: (?P^.(.+?)):"
Expect Result:
"TransactionRolledbackException"
"NoEntryAffectedException"
With my above regex I am getting "javax.transaction.TransactionRolledbackException" but I need only the exception name as "TransactionRolledbackException"
Could you please help me on this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on nittala answer:
rex field=_raw "Caused\sby\:\s.+\.(?<ExceptionName>[^:]+):"
This takes in consideration also an error that doesn't end with "Exception" word
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(?[A-Z].*:)
(?
Assigned ==>
Starting Char ==> [A-Z]
Followed by any no char ==> .*
End with : ==> :
)
you get results like below
Match 1
Status= TransactionRolledbackException:
Match 2
Status= NoEntryAffectedException:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on nittala answer:
rex field=_raw "Caused\sby\:\s.+\.(?<ExceptionName>[^:]+):"
This takes in consideration also an error that doesn't end with "Exception" word
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow! Thankyou!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, give this a try:
Note: I am assuming that exception name is always preceded by period .
rex field=_raw "Caused\sby\:\s.+\.(?<ExceptionName>\w+Exception):"
Tested here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou for the response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both the answers by @nittala_surya and @andreacefali are useful. Thankyou for the quick help
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
