Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk split events to extract text

ppatkar
Path Finder
‎02-22-2021 01:49 AM

I have multiple events in Splunk like below :

Exception:100 : *** Error 3006 Logons are disabled., Job=ABC
Exception:XYZ API has failed. Exception: RDBMS error 2801: Duplicate unique prime key error, Job=ABC
Exception:100 : RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map., Job=ABC

I am looking for the text between "Exception:" and ", Job" 

Output desired :

*** Error 3006 Logons are disabled.
RDBMS error 2801: Duplicate unique prime key error
RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map.

I was trying split like below, however in some events , "Exception:" appears twice.  Hence second case above , gives me XYZ API has failed :

eval temp=split(_raw, "Exception:") | eval temp1 = mvindex(temp,1) | eval temp2=split(temp1,"), Job") | eval EXCEPTION=mvindex(temp2,0)

Is there any way to split based on second or last occurrence of Exception in the event ? 

Thank you for any suggestion/help.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2021 03:17 AM

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-22-2021 03:17 AM

Use a negative index

 

| eval temp=split(_raw, "Exception:") 
| eval temp1 = mvindex(temp,-1) 
| eval temp2=split(temp1,", Job") 
| eval EXCEPTION=mvindex(temp2,0)

 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2021 02:34 AM

Hi @ppatkar,

please try this regex:

| rex "(Exception:)(?!.*\1)(?<exception>[^,]+),\s+"

that you can test at https://regex101.com/r/5hGUXo/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ppatkar
Path Finder
‎02-22-2021 04:11 AM

Thanks @gcusello  . It works in general , however it breaks when my Exception has "," in it .

Ex : Exception:XYZ API has failed. Exception: ApiError(ERR361, No bucket found), Job=ABC

Output desired in this case : Exception: ApiError(ERR361, No bucket found)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2021 04:57 AM

Hi @ppatkar,

please, try this:

 

| rex "(Exception:)(?!.*\1)(?<exception>.+),\s+Job"

 

that you can test at https://regex101.com/r/5hGUXo/2

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...