Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Regex help

viksvig
Loves-to-Learn Lots
‎11-11-2021 01:05 PM

Hi, I have the search returning the event

 Nov 10 23:45:3 8888888 Tra[9100]: { EventName: "Error Occurred", BatchId: 095cehcx-87ee-43f6-9663-c2fb833677a978, CorrelationId: 5fghja26b9-fe73-78cb-342b-5123f2ec167896, Payload: BusinessLogicException { Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.", Data: [], InnerException: null, TargetSite: Void Validate(uya.QueryModels.Lead), StackTrace: " at uyu.Models.Lead.Validate(Lead queriedLead)

 

How do i extract only the content on the Message

Message: "Lead 0000000001VII6N00AX has an agency code that is not 7 digits.:"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bhargavi
Path Finder
‎11-13-2021 02:13 AM

Hello,

Please try the below regex.

|rex field=_raw "\sMessage\:(?P<Message>.*)\,\s\Data"

0 Karma
Reply

manishchoudhary
Loves-to-Learn
‎11-12-2021 10:47 AM

Hello @viksvig ,

 

Please use the below regex value in order to extract the message field at search time. Also, in order to extract the message field for all the logs put this regex value in Setting --> Field extraction 
.*?Message:\s+"(?P<message>.*?)" 

Kindly let me know if it works fine in your environment

Tags (1)
0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-23-2021 08:40 AM

It works in the search , but when it sends it as email alert, it only has the dates and the message field is empty

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2021 02:18 PM

It would help to know what you've tried so far.

See if this regex helps

 

| rex "(?<Message>Message: \\\"[^\\\"]+\\\")"

 

If you only need the message itself, then try this

 

| rex "Message: \\\"(?<Message>\\\"[^\\\"]+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-12-2021 08:00 AM

@richgalloway 

Getting an error for the 1st search

| rex "(?<Message>Message: \\\"[^\\\\"]+\\\")"

Error in 'SearchParser': Missing a search command before '^'. Error at position '81' of search query 'search index=cloud EventName: "Error Occurred" | ...{snipped} {errorcontext = Message>"[^\\\\"]+)"}'.

Getting error for 

| rex "Message: \\\"(?<Message>"[^\\\\"]+)"

Mismatched ']'.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2021 10:22 AM

Sorry about that.  I had the wrong number of escape characters.  Please try my revised answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-23-2021 08:39 AM

It works in the search , but when it sends it as email alert, it only has the dates and the messagews are empty

0 Karma
Reply

viksvig
Loves-to-Learn Lots
‎11-29-2021 11:31 AM

@richgalloway @manishchoudhary @bhargavi  any idea why 

I have splunk search - index=cloud EventName: "Error Occurred" XChangeToSalesForce | rename message as "Message" _time as Time | table Time,Message

When i search on splunk search, i get the below response

1637759064  Multiple Terms found for the same agency. Agency code: 

But when the email is sent, i get nothing on the message field . It is set as inline

Time

Message

1637759064 
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...