Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extracting a field from message

chandukreddi
Path Finder
‎09-16-2020 10:09 AM

Hello Team,

I have below event and I am trying to extract this number 29120120  as a field and tried with below search but no luck, can anyone help me? 

 

source=system.log index=cassdb  ERROR AND "Failed to apply mutation locally" | rex field=_raw "Mutation\sof\s(?\d+)\s"

ERROR [SharedPool-Worker-2] 2020-09-15 20:20:00,815 StorageProxy.java:1348 - Failed to apply mutation locally : {} java.lang.IllegalArgumentException: Mutation of 29120120 bytes is too large for the maximum size of 16777216 at org.apache.cassandra.db.commitlog.CommitLog.add(CommitLog.java:256) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Keyspace.applyInternal(Keyspace.java:596) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Keyspace.apply(Keyspace.java:477) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Mutation.apply(Mutation.java:210) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Mutation.apply(Mutation.java:215) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.db.Mutation.apply(Mutation.java:224) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.service.StorageProxy$8.runMayThrow(StorageProxy.java:1342) ~[cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.service.StorageProxy$LocalMutationRunnable.run(StorageProxy.java:2514) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_131] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$FutureTask.run(AbstractLocalAwareExecutorService.java:164) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.concurrent.AbstractLocalAwareExecutorService$LocalSessionFutureTask.run(AbstractLocalAwareExecutorService.java:136) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at org.apache.cassandra.concurrent.SEPWorker.run(SEPWorker.java:105) [cassandra-all-3.0.13.1735.jar:3.0.13.1735] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]

Labels (1)
Labels
0 Karma
Reply

chandukreddi
Path Finder
‎09-16-2020 12:21 PM

I have tried but none of them working 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-16-2020 12:45 PM

Please share the exact queries you ran that don't work.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

erikwie
Path Finder
‎09-16-2020 10:34 AM

egex isn't not my strong side, but this might help you

| rex field=Message "Mutation of (?<value>\d+) bytes"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-16-2020 10:30 AM

Try this.

source=system.log index=cassdb  ERROR AND "Failed to apply mutation locally" 
| rex "Mutation of (?<size>\d+) bytes is too large"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...