I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:
index=main "ORA-"
This search returns a "Message" field that contains text which begins like this:
tman.oci.exe.42636 (trace:0) (DbDmlStmtHandle::Execute): Error[343] -> Database access error (-1).
Msg: [
ORA-00001: unique constraint (UCICOBG.IXCTPROFILEUNIQUEID) violated
]
.13808 (trace:0) (DBReopenDatabase(connection lost)): Error[343] -> Database access error (-3113).
Msg: [
ORA-03113: end-of-file on communication channel
Process ID: 0
I'm trying to extract a field with just the application name information in it (in this case "ORA-0001", "ORA-03113)
I stopped at that expression (ORA- [0-9]. *), How can I use rex to filter just that field?
hi @leandromatperei.,
Try this:
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"
You can either expand or join values in applications if needed.
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"
| eval application=mvjoin(applications, ",")
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"
| mvexpand applications
If this reply helps you, an upvote/like would be appreciated.
Hi @leandromatperei,
if you want to extract the Oracle error in a field, you have to use a regex like this:
| rex "(?<error>ORA-\d+)"
that you can test at https://regex101.com/r/raoOka/1
Ciao.
Giuseppe
| rex max_match=0 "(?<errorcode>ORA\-\d+)"