Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regular Expression to find the cases

akarivaratharaj
Communicator
‎08-02-2018 05:37 AM

I have to find a set of Exception names from my events. Below are the sample text and its corresponding Regular expression which I am trying

Sample Text:
1. Caused by: javax.transaction.TransactionRolledbackException:
2. Caused by: com.gtnexus.database.exception.NoEntryAffectedException:

Expression used:
rex field=_raw "Caused by: (?P^.(.+?)):"

Expect Result:
"TransactionRolledbackException"
"NoEntryAffectedException"

With my above regex I am getting "javax.transaction.TransactionRolledbackException" but I need only the exception name as "TransactionRolledbackException"

Could you please help me on this

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

andreacefali
Engager
‎08-02-2018 06:50 AM

Based on nittala answer:

rex field=_raw "Caused\sby\:\s.+\.(?<ExceptionName>[^:]+):"

This takes in consideration also an error that doesn't end with "Exception" word

View solution in original post

Reply
Solved! Jump to solution

senthilgoa
Engager
‎08-02-2018 11:35 PM

(?[A-Z].*:)

(?
Assigned ==>
Starting Char ==> [A-Z]
Followed by any no char ==> .*
End with : ==> :
)

you get results like below

Match 1
Status= TransactionRolledbackException:
Match 2
Status= NoEntryAffectedException:

0 Karma
Reply
Solved! Jump to solution
Solution

andreacefali
Engager
‎08-02-2018 06:50 AM

Based on nittala answer:

rex field=_raw "Caused\sby\:\s.+\.(?<ExceptionName>[^:]+):"

This takes in consideration also an error that doesn't end with "Exception" word

Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎08-02-2018 09:39 PM

Wow! Thankyou!!

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-02-2018 06:02 AM

Hello, give this a try:

Note: I am assuming that exception name is always preceded by period .

rex field=_raw "Caused\sby\:\s.+\.(?<ExceptionName>\w+Exception):"

Tested here.

Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎08-02-2018 09:39 PM

Thankyou for the response.

0 Karma
Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎08-13-2018 12:39 AM

Both the answers by @nittala_surya and @andreacefali are useful. Thankyou for the quick help

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...