Splunk Search

Splunk split events to extract text

ppatkar
Path Finder

I have multiple events in Splunk like below :

Exception:100 : *** Error 3006 Logons are disabled., Job=ABC
Exception:XYZ API has failed. Exception: RDBMS error 2801: Duplicate unique prime key error, Job=ABC
Exception:100 : RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map., Job=ABC

I am looking for the text between "Exception:" and ", Job" 

Output desired :

*** Error 3006 Logons are disabled.
RDBMS error 2801: Duplicate unique prime key error
RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map.

I was trying split like below, however in some events , "Exception:" appears twice.  Hence second case above , gives me XYZ API has failed :

eval temp=split(_raw, "Exception:") | eval temp1 = mvindex(temp,1) | eval temp2=split(temp1,"), Job") | eval EXCEPTION=mvindex(temp2,0)

Is there any way to split based on second or last occurrence of Exception in the event ? 

Thank you for any suggestion/help.

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

View solution in original post

ITWhisperer
Ultra Champion

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @ppatkar,

please try this regex:

| rex "(Exception:)(?!.*\1)(?<exception>[^,]+),\s+"

that you can test at https://regex101.com/r/5hGUXo/1

Ciao.

Giuseppe

0 Karma

ppatkar
Path Finder

Thanks @gcusello  . It works in general , however it breaks when my Exception has "," in it .

Ex : Exception:XYZ API has failed. Exception: ApiError(ERR361, No bucket found), Job=ABC

Output desired in this case : Exception: ApiError(ERR361, No bucket found)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ppatkar,

please, try this:

 

| rex "(Exception:)(?!.*\1)(?<exception>.+),\s+Job"

 

that you can test at https://regex101.com/r/5hGUXo/2

Ciao.

Giuseppe