Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk split events to extract text

ppatkar
Path Finder
‎02-22-2021 01:49 AM

I have multiple events in Splunk like below :

Exception:100 : *** Error 3006 Logons are disabled., Job=ABC
Exception:XYZ API has failed. Exception: RDBMS error 2801: Duplicate unique prime key error, Job=ABC
Exception:100 : RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map., Job=ABC

I am looking for the text between "Exception:" and ", Job" 

Output desired :

*** Error 3006 Logons are disabled.
RDBMS error 2801: Duplicate unique prime key error
RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map.

I was trying split like below, however in some events , "Exception:" appears twice.  Hence second case above , gives me XYZ API has failed :

eval temp=split(_raw, "Exception:") | eval temp1 = mvindex(temp,1) | eval temp2=split(temp1,"), Job") | eval EXCEPTION=mvindex(temp2,0)

Is there any way to split based on second or last occurrence of Exception in the event ? 

Thank you for any suggestion/help.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2021 03:17 AM

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2021 03:17 AM

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2021 02:34 AM

Hi @ppatkar,

please try this regex:

| rex "(Exception:)(?!.*\1)(?<exception>[^,]+),\s+"

that you can test at https://regex101.com/r/5hGUXo/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ppatkar
Path Finder
‎02-22-2021 04:11 AM

Thanks @gcusello  . It works in general , however it breaks when my Exception has "," in it .

Ex : Exception:XYZ API has failed. Exception: ApiError(ERR361, No bucket found), Job=ABC

Output desired in this case : Exception: ApiError(ERR361, No bucket found)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2021 04:57 AM

Hi @ppatkar,

please, try this:

 

| rex "(Exception:)(?!.*\1)(?<exception>.+),\s+Job"

 

that you can test at https://regex101.com/r/5hGUXo/2

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...