Splunk Search

extract some text into a field with rex

leandromatperei
Path Finder

I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:

 

index=main "ORA-" 

 

This search returns a "Message" field that contains text which begins like this:

 

tman.oci.exe.42636 (trace:0) (DbDmlStmtHandle::Execute): Error[343] -> Database access error (-1).
Msg: [
ORA-00001: unique constraint (UCICOBG.IXCTPROFILEUNIQUEID) violated
]
.13808 (trace:0) (DBReopenDatabase(connection lost)): Error[343] -> Database access error (-3113).
Msg: [
ORA-03113: end-of-file on communication channel
Process ID: 0

 


I'm trying to extract a field with just the application name information in it (in this case "ORA-0001", "ORA-03113)

I stopped at that expression (ORA- [0-9]. *), How can I use rex to filter just that field?

Labels (1)
Tags (1)
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

hi @leandromatperei.,

Try this:

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"

You can either expand or join values in applications if needed.

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| eval application=mvjoin(applications, ",")
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| mvexpand applications

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

gcusello
Legend

Hi @leandromatperei,

if you want to extract the Oracle error in a field, you have to use a regex like this:

| rex "(?<error>ORA-\d+)"

that you can test at https://regex101.com/r/raoOka/1

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "(?<errorcode>ORA\-\d+)"
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...