Splunk Search

extract some text into a field with rex

leandromatperei
Path Finder

I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:

 

index=main "ORA-" 

 

This search returns a "Message" field that contains text which begins like this:

 

tman.oci.exe.42636 (trace:0) (DbDmlStmtHandle::Execute): Error[343] -> Database access error (-1).
Msg: [
ORA-00001: unique constraint (UCICOBG.IXCTPROFILEUNIQUEID) violated
]
.13808 (trace:0) (DBReopenDatabase(connection lost)): Error[343] -> Database access error (-3113).
Msg: [
ORA-03113: end-of-file on communication channel
Process ID: 0

 


I'm trying to extract a field with just the application name information in it (in this case "ORA-0001", "ORA-03113)

I stopped at that expression (ORA- [0-9]. *), How can I use rex to filter just that field?

Labels (1)
Tags (1)
0 Karma

manjunathmeti
Champion

hi @leandromatperei.,

Try this:

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"

You can either expand or join values in applications if needed.

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| eval application=mvjoin(applications, ",")
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| mvexpand applications

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @leandromatperei,

if you want to extract the Oracle error in a field, you have to use a regex like this:

| rex "(?<error>ORA-\d+)"

that you can test at https://regex101.com/r/raoOka/1

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "(?<errorcode>ORA\-\d+)"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...