extract exception from stacktrace field

donB · ‎11-17-2020

Below is a sample log message. Each message will have string "500 Server Error for HTTP" and i need to extract 3 fields after the occurrence of "500 Server Error for HTTP" string

2020-11-18T00:32:37.632Z LCS userId=null LCE [helper-http-epoll-1] ERROR o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler.error(122) - 500 Server Error for HTTP POST "/sports/v1/boxing"java.net.UnknownHostException: my-rest-service.backend-->	at java.base/java.net.InetAddress$CachedAddresses.get(InetAddress.java:797)-->	Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:

I need to extract 2 fields -

1) method (e.g. - POST)

2) path (between 1st pair of quotes) - e.g, /sports/v1/boxing

and 2)exception_type (anything between 1st quote closing and before first occurrence of -->)

java.net.UnknownHostException: alert-rest-service.backend-

Splunk query i am trying is below

index="k8s*" messageType=ERROR "*Exception:*-->" 
| rex "500 Server Error for HTTP (?<http_method>\\S+).*\\\\\"(?<resource_url>.*)\\\\\"(?<java_exception>.*?(Exception)).*"

Query works fine to extract "http_method" and "resource_url"

but "java_exception" is not being extracted properly. Can someone help?

ITWhisperer · ‎11-18-2020

index="k8s*" messageType=ERROR "*Exception:*-->" 
| rex "500 Server Error for HTTP (?<http_method>\S+).*\\\"(?<resource_url>.*)\\\"(?<java_exception>.*?Exception)"

extract exception from stacktrace field

eval

field extraction

fields

regex

rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?