Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Regex help

viksvig
Loves-to-Learn Lots
‎11-11-2021 01:05 PM

Hi, I have the search returning the event

 Nov 10 23:45:3 8888888 Tra[9100]: { EventName: "Error Occurred", BatchId: 095cehcx-87ee-43f6-9663-c2fb833677a978, CorrelationId: 5fghja26b9-fe73-78cb-342b-5123f2ec167896, Payload: BusinessLogicException { Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.", Data: [], InnerException: null, TargetSite: Void Validate(uya.QueryModels.Lead), StackTrace: " at uyu.Models.Lead.Validate(Lead queriedLead)

 

How do i extract only the content on the Message

Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.:"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bhargavi
Path Finder
‎11-13-2021 02:13 AM

Hello,

Please try the below regex.

|rex field=_raw "\sMessage\:(?P<Message>.*)\,\s\Data"

0 Karma
Reply

manishchoudhary
Loves-to-Learn
‎11-12-2021 10:47 AM

Hello @viksvig ,

 

Please use the below regex value in order to extract the message field at search time. Also, in order to extract the message field for all the logs put this regex value in Setting --> Field extraction 
.*?Message:\s+"(?P<message>.*?)" 

Kindly let me know if it works fine in your environment

Tags (1)
0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-23-2021 08:40 AM

It works in the search , but when it sends it as email alert, it only has the dates and the message field is empty

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2021 02:18 PM

It would help to know what you've tried so far.

See if this regex helps

 

| rex "(?<Message>Message: \\\"[^\\\"]+\\\")"

 

If you only need the message itself, then try this

 

| rex "Message: \\\"(?<Message>\\\"[^\\\"]+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-12-2021 08:00 AM

@richgalloway 

Getting an error for the 1st search

| rex "(?<Message>Message: \\\"[^\\\\"]+\\\")"

Error in 'SearchParser': Missing a search command before '^'. Error at position '81' of search query 'search index=cloud EventName: "Error Occurred" | ...{snipped} {errorcontext = Message>"[^\\\\"]+)"}'.

Getting error for 

| rex "Message: \\\"(?<Message>"[^\\\\"]+)"

Mismatched ']'.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2021 10:22 AM

Sorry about that.  I had the wrong number of escape characters.  Please try my revised answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-23-2021 08:39 AM

It works in the search , but when it sends it as email alert, it only has the dates and the messagews are empty

0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-29-2021 11:31 AM

@richgalloway @manishchoudhary @bhargavi  any idea why 

I have splunk search - index=cloud EventName: "Error Occurred" XChangeToSalesForce | rename message as "Message" _time as Time | table Time,Message

When i search on splunk search, i get the below response

1637759064  Multiple Terms found for the same agency. Agency code: 

But when the email is sent, i get nothing on the message field . It is set as inline

Time

Message

1637759064 
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...