Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When trying to return different error messages with one saved search/alert, how do I combine 2 searches where one uses regex(OR is not allowed)?

cmahan
Path Finder
‎09-28-2018 12:39 PM

I am trying to return several different error messages with one saved search / alert.

I can get all of them individually and I can get 3 of the 4 together, but when I try to add the one that uses a regex, it wants to apply the regex to everything or ignore it depending on the order.

The regex is being used because one of the errors is distinguished by having nothing after the string "java.lang.NullPointerException" while one of the others does have more after that string. I can't seem to use append or join or OR. I got it to at least not error using OR by putting brackets, but the results did not show as expected.

I'm sure there is a better way to do this?

index=prod source="/ep/logs/ep-cortex.log" sourcetype=c2b:cortex  "java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
    at java.util.ArrayList.rangeCheck(ArrayList.java:653)
    at java.util.ArrayList.get(ArrayList.java:429)
    at com.elasticpath.extensions.rest.resource.impl.EstimateCartsResourceOperatorImpl.createCartEstimate(EstimateCartsResourceOperatorImpl.java" 
OR "java.lang.NullPointerException
    at com.elasticpath.extensions.domain.shoppingcart.impl.AbstractQuantityPriceCalculatorImpl.roundAmountBasedOnTaxType(AbstractQuantityPriceCalculatorImpl.java" 
OR "com.elasticpath.extensions.ws.service.WebServiceUtil - Errors returned from Tibco. Context: get customer match, Errors: [Arithmetic overflow error for data type tinyint, value =" OR [search sourcetype=c2b:cortex "java.lang.NullPointerException" |regex _raw="java.lang.NullPointerException$"]
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-29-2018 03:17 AM

Hi cmahan,
at first I don't like to have a multi line string, maybe it's better to have more separated strings to have more possibilities to have results.

in addition, at the end of a subsearch you need to have the fields or the table commands to declare which are the fields used to search otherwise the subsearch returns all the fields that will be used in the search and usually hasn't results.

In addition I don't like to not declare index in subsearch. if runs is slower!

About the regex identify a minor regex e.g. the following

| regex "java.lang.NullPointerException\s+at\s+com\."

Bye.
Giuseppe

0 Karma
Reply

reed_kelly
Contributor
‎09-28-2018 01:17 PM

Is it just an issue with your regex command? To do multi-line regex, you may have to add (?s) or (?m) to the beginning of the expression.

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...