Splunk Search

extracting a field from message

Path Finder

Hello Team,

I have below event and I am trying to extract this number 29120120  as a field and tried with below search but no luck, can anyone help me? 

 

source=system.log index=cassdb  ERROR AND "Failed to apply mutation locally" | rex field=_raw "Mutation\sof\s(?\d+)\s"

ERROR [SharedPool-Worker-2] 2020-09-15 20:20:00,815 StorageProxy.java:1348 - Failed to apply mutation locally : {} java.lang.IllegalArgumentException: Mutation of 29120120 bytes is too large for the maximum size of 16777216 at org.apache.cassandra.db.commitlog.CommitLog.add(CommitLog.java:256) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Keyspace.applyInternal(Keyspace.java:596) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Keyspace.apply(Keyspace.java:477) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Mutation.apply(Mutation.java:210) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Mutation.apply(Mutation.java:215) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Mutation.apply(Mutation.java:224) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.service.StorageProxy$8.runMayThrow(StorageProxy.java:1342) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.service.StorageProxy$LocalMutationRunnable.run(StorageProxy.java:2514) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_131] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:164) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$LocalSessionFutureTask.run(AbstractLocalAwareExecutorService.java:136) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:105) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]

Labels (1)
0 Karma

Path Finder

I have tried but none of them working 

0 Karma

SplunkTrust
SplunkTrust

Please share the exact queries you ran that don't work.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

egex isn't not my strong side, but this might help you

| rex field=Message "Mutation of (?<value>\d+) bytes"
0 Karma

SplunkTrust
SplunkTrust

Try this.

source=system.log index=cassdb  ERROR AND "Failed to apply mutation locally" 
| rex "Mutation of (?<size>\d+) bytes is too large"
---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!