Solved: extract all "cause by"

indeed_2000 · ‎10-26-2021

Hi

I have lots "Caused by:" in (single or multiple) events

How extract all line that contain "Caused by:"

like this:

Caused by: java.sql.SQLException: ISAM error: duplicate value for a record with unique key.

Any idea?

Thanks,

nmohammed · ‎10-26-2021

Can you share the exception with multiple Caused by : ?

meanwhile, you can try this -

base search
| rex field=_raw "Caused by:\s*(?P<exception_cause>.*)"

View solution in original post

nmohammed · ‎10-26-2021

Can you share the exception with multiple Caused by : ?

meanwhile, you can try this -

base search
| rex field=_raw "Caused by:\s*(?P<exception_cause>.*)"

PickleRick · ‎10-26-2021

Ahhh... the infamous java logs and stacktraces.

For java I believe the only reasonable solution is to force the source end to produce the logs in civilized format (i.e. properly configure log4j). Otherwise you end up with something unparseable, especially if you manage to get timstamp at the beginning of each log line - it's game over. There's nothing reasonable to correlate the logs on.

indeed_2000 · ‎10-26-2021

any other idea?

PickleRick · ‎10-26-2021

If you have the log in which every entry begins with the timestamp and you luckily don't have the timestamp repeated, you might try breaking the events at timestamp. That way you'll get your huge event.

extract all "cause by"

field extraction

fields

rex

stats

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?