Re: Field getting trimmed while fetching

Nidd · ‎01-20-2023

I have some error logs like below:

TYPE=ERROR, DATE_TIME=2022-12-31 03:30:27,281, CLASS_NAME=myClass, METHOD_NAME=myMethod, message=unknown error while fetching recordsjavax.net.ssl.SSLHandshakeException: General SSLEngine problem

TYPE=ERROR, DATE_TIME=2023-01-19 00:38:09,013, CLASS_NAME=myClass, METHOD_NAME=myMethod, message=unknown error while fetching recordsjava.lang.IllegalStateException: could not create the default ssl context

I need to get the message field of these logs and to sort them based on _time. I am trying the below queries to get the same.

Query 1:

index="myIndes" host=myHost source="/my/app/location/app.log" TYPE=ERROR | extract pairdelim=",|" kvdelim="=" | table message | sort _time

Query 2:

index="myIndes" host=myHost source="/my/app/location/app.log" TYPE=ERROR | rex "^(?:(?<message>[^,]*),){7}" | table message | sort _time

But for both these queries, my response looks like below. Instead of getting the entire message field, I am getting just the first word.

--------
message
--------
unknown

Please help on how to achieve this.

scelikok · ‎01-20-2023

Hi @Nidd,

You can use below query;

index="myIndes" host=myHost source="/my/app/location/app.log" TYPE=ERROR 
| rex "message=(?<message>.+)" 
| table message 
| sort _time

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Why are fields getting trimmed while fetching?

eval

field extraction

regex

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector