Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk split events to extract text

ppatkar
Path Finder
‎02-22-2021 01:49 AM

I have multiple events in Splunk like below :

Exception:100 : *** Error 3006 Logons are disabled., Job=ABC
Exception:XYZ API has failed. Exception: RDBMS error 2801: Duplicate unique prime key error, Job=ABC
Exception:100 : RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map., Job=ABC

I am looking for the text between "Exception:" and ", Job" 

Output desired :

*** Error 3006 Logons are disabled.
RDBMS error 2801: Duplicate unique prime key error
RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map.

I was trying split like below, however in some events , "Exception:" appears twice.  Hence second case above , gives me XYZ API has failed :

eval temp=split(_raw, "Exception:") | eval temp1 = mvindex(temp,1) | eval temp2=split(temp1,"), Job") | eval EXCEPTION=mvindex(temp2,0)

Is there any way to split based on second or last occurrence of Exception in the event ? 

Thank you for any suggestion/help.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2021 03:17 AM

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2021 03:17 AM

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2021 02:34 AM

Hi @ppatkar,

please try this regex:

| rex "(Exception:)(?!.*\1)(?<exception>[^,]+),\s+"

that you can test at https://regex101.com/r/5hGUXo/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ppatkar
Path Finder
‎02-22-2021 04:11 AM

Thanks @gcusello  . It works in general , however it breaks when my Exception has "," in it .

Ex : Exception:XYZ API has failed. Exception: ApiError(ERR361, No bucket found), Job=ABC

Output desired in this case : Exception: ApiError(ERR361, No bucket found)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2021 04:57 AM

Hi @ppatkar,

please, try this:

 

| rex "(Exception:)(?!.*\1)(?<exception>.+),\s+Job"

 

that you can test at https://regex101.com/r/5hGUXo/2

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...