Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extract some text into a field with rex

leandromatperei
Path Finder
‎03-12-2021 04:34 AM

I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:

 

index=main "ORA-"

 

This search returns a "Message" field that contains text which begins like this:

 

tman.oci.exe.42636 (trace:0) (DbDmlStmtHandle::Execute): Error[343] -> Database access error (-1).
Msg: [
ORA-00001: unique constraint (UCICOBG.IXCTPROFILEUNIQUEID) violated
]
.13808 (trace:0) (DBReopenDatabase(connection lost)): Error[343] -> Database access error (-3113).
Msg: [
ORA-03113: end-of-file on communication channel
Process ID: 0

 


I'm trying to extract a field with just the application name information in it (in this case "ORA-0001", "ORA-03113)

I stopped at that expression (ORA- [0-9]. *), How can I use rex to filter just that field?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-12-2021 05:22 AM

hi @leandromatperei.,

Try this:

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"

You can either expand or join values in applications if needed.

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| eval application=mvjoin(applications, ",")
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| mvexpand applications

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-12-2021 05:21 AM

Hi @leandromatperei,

if you want to extract the Oracle error in a field, you have to use a regex like this:

| rex "(?<error>ORA-\d+)"

that you can test at https://regex101.com/r/raoOka/1

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-12-2021 05:20 AM 
| rex max_match=0 "(?<errorcode>ORA\-\d+)"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...