Splunk Search

Splunk split events to extract text

ppatkar
Path Finder

I have multiple events in Splunk like below :

Exception:100 : *** Error 3006 Logons are disabled., Job=ABC
Exception:XYZ API has failed. Exception: RDBMS error 2801: Duplicate unique prime key error, Job=ABC
Exception:100 : RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map., Job=ABC

I am looking for the text between "Exception:" and ", Job" 

Output desired :

*** Error 3006 Logons are disabled.
RDBMS error 2801: Duplicate unique prime key error
RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map.

I was trying split like below, however in some events , "Exception:" appears twice.  Hence second case above , gives me XYZ API has failed :

eval temp=split(_raw, "Exception:") | eval temp1 = mvindex(temp,1) | eval temp2=split(temp1,"), Job") | eval EXCEPTION=mvindex(temp2,0)

Is there any way to split based on second or last occurrence of Exception in the event ? 

Thank you for any suggestion/help.

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

gcusello
SplunkTrust
SplunkTrust

Hi @ppatkar,

please try this regex:

| rex "(Exception:)(?!.*\1)(?<exception>[^,]+),\s+"

that you can test at https://regex101.com/r/5hGUXo/1

Ciao.

Giuseppe

0 Karma

ppatkar
Path Finder

Thanks @gcusello  . It works in general , however it breaks when my Exception has "," in it .

Ex : Exception:XYZ API has failed. Exception: ApiError(ERR361, No bucket found), Job=ABC

Output desired in this case : Exception: ApiError(ERR361, No bucket found)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ppatkar,

please, try this:

 

| rex "(Exception:)(?!.*\1)(?<exception>.+),\s+Job"

 

that you can test at https://regex101.com/r/5hGUXo/2

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...