Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extracting field using rex props.conf

JoshuaJohn
Contributor
‎08-24-2016 07:56 AM

I have data that looks like this:

**** Error  Wed Aug 24 09:36:52 CDT 204941272049412507  /nitro/com/t/Manager    Cexception for the payment id -     nitro.com.Exception: The field with id pg73180373180 failed to be authorized. Reason: mls_error_checkout_action_err_decline
    at com.nitropay.MLSManager.newAuthorize(MLSManager.java:450)
    at com.nitropay.MLSManager.authorize(MLSManager.java:320)
... 50 lines omitted ...

&

    **** Error  Wed Aug 24 09:36:29 CDT 2389657 /nitro/servlet/pipe/Manager/Scope-244474/nitro/com/cc/order/CartFormHandler MLSCSRModifierHandler (preAddItemToOrder), orderId:4585558558 profileId:22542   com.nitro.cc.order.MLSCartException: mls_error_cart_add_inactive_item
at com.nitro.cc.order.MLSCartVManager.validateAddItemToOrder(MLSCartVManager.java:109)
        at

I am trying to extract mls_error_checkout_action_err_decline and mls_error_cart_add_inactive_item so I used this rex (?(mls_error_)\w+) and it seems to work fine when testing in a query but when I try to add it to the props.conf file the extracted field will not show up. This is what my query looks like in my props.conf: EXTRACT-mls_error = (?<mls_error>(mls_error_*)\w+)

(Note there is a asterisk after mls_error_(asterisk))

Any solutions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2016 08:29 AM

I don't see a reason to put a * in your regex. Also, I don't see it in your rex in search.

Try this for your props.conf

EXTRACT-mls_error = (?<mls_error>(mls_error_)\w+)

OR 

EXTRACT-mls_error = (?<mls_error>mls_error_[^\s]+)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-24-2016 08:29 AM

I don't see a reason to put a * in your regex. Also, I don't see it in your rex in search.

Try this for your props.conf

EXTRACT-mls_error = (?<mls_error>(mls_error_)\w+)

OR 

EXTRACT-mls_error = (?<mls_error>mls_error_[^\s]+)
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...