Re: extract some text into a field with rex

leandromatperei · ‎03-12-2021

I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:

index=main "ORA-"

This search returns a "Message" field that contains text which begins like this:

tman.oci.exe.42636 (trace:0) (DbDmlStmtHandle::Execute): Error[343] -> Database access error (-1).
Msg: [
ORA-00001: unique constraint (UCICOBG.IXCTPROFILEUNIQUEID) violated
]
.13808 (trace:0) (DBReopenDatabase(connection lost)): Error[343] -> Database access error (-3113).
Msg: [
ORA-03113: end-of-file on communication channel
Process ID: 0

I'm trying to extract a field with just the application name information in it (in this case "ORA-0001", "ORA-03113)

I stopped at that expression (ORA- [0-9]. *), How can I use rex to filter just that field?

manjunathmeti · ‎03-12-2021

hi @leandromatperei.,

Try this:

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"

You can either expand or join values in applications if needed.

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| eval application=mvjoin(applications, ",")

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| mvexpand applications

If this reply helps you, an upvote/like would be appreciated.

gcusello · ‎03-12-2021

Hi @leandromatperei,

if you want to extract the Oracle error in a field, you have to use a regex like this:

| rex "(?<error>ORA-\d+)"

that you can test at https://regex101.com/r/raoOka/1

Ciao.

Giuseppe

ITWhisperer · ‎03-12-2021

| rex max_match=0 "(?<errorcode>ORA\-\d+)"

extract some text into a field with rex

field extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!