I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:
This search returns a "Message" field that contains text which begins like this:
tman.oci.exe.42636 (trace:0) (DbDmlStmtHandle::Execute): Error -> Database access error (-1). Msg: [ ORA-00001: unique constraint (UCICOBG.IXCTPROFILEUNIQUEID) violated ] .13808 (trace:0) (DBReopenDatabase(connection lost)): Error -> Database access error (-3113). Msg: [ ORA-03113: end-of-file on communication channel Process ID: 0
I'm trying to extract a field with just the application name information in it (in this case "ORA-0001", "ORA-03113)
I stopped at that expression (ORA- [0-9]. *), How can I use rex to filter just that field?
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"
You can either expand or join values in applications if needed.
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" | eval application=mvjoin(applications, ",")
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" | mvexpand applications
If this reply helps you, an upvote/like would be appreciated.