Splunk Search

extract some text into a field with rex

leandromatperei
Path Finder

I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:

 

index=main "ORA-" 

 

This search returns a "Message" field that contains text which begins like this:

 

tman.oci.exe.42636 (trace:0) (DbDmlStmtHandle::Execute): Error[343] -> Database access error (-1).
Msg: [
ORA-00001: unique constraint (UCICOBG.IXCTPROFILEUNIQUEID) violated
]
.13808 (trace:0) (DBReopenDatabase(connection lost)): Error[343] -> Database access error (-3113).
Msg: [
ORA-03113: end-of-file on communication channel
Process ID: 0

 


I'm trying to extract a field with just the application name information in it (in this case "ORA-0001", "ORA-03113)

I stopped at that expression (ORA- [0-9]. *), How can I use rex to filter just that field?

Labels (1)
Tags (1)
0 Karma

manjunathmeti
Champion

hi @leandromatperei.,

Try this:

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s"

You can either expand or join values in applications if needed.

| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| eval application=mvjoin(applications, ",")
| rex field=message max_match=0 "(?<applications>\w+\-\d+):\s" 
| mvexpand applications

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @leandromatperei,

if you want to extract the Oracle error in a field, you have to use a regex like this:

| rex "(?<error>ORA-\d+)"

that you can test at https://regex101.com/r/raoOka/1

Ciao.

Giuseppe

0 Karma

ITWhisperer
Ultra Champion
| rex max_match=0 "(?<errorcode>ORA\-\d+)"
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!