not able to fetch values from log

vineela · ‎05-09-2024

i have a log and i am able to fetch all the codes which is of same format, but not able to fetch logs of one error code:

{"stream":"stderr","logtag":"P","log":"10/May/2024:09:31:53 +1000 [dgbttrfr] [correlationId=] [subject=], ERROR au.com.jbjcbdj.o.fefewgr.logging.LoggingUtil - severity = \"ERROR\", DateTimestamp = \"09/May/2024 23:31:53\", errorCode = \"PAY_STAT_ERR_0017\", errorMessage = \"Not able to fetch error\","hostname":"ip-101-156-185.ap-southeast-2.internal","host_ip":"10.56","cluster":"nod/pmn08"}

i tried fetching using this :

|rex field=log "errorCode\s=\s*(?<errorCode>[^,\s]+)"and key value pair:|rex field=log "errorCode\s=\s*(?<errorCode>[^,\s]+)"

But not able to fetch the values whereas i can `be able to fetch all other` `codes exceopt this.

can anyone help.

Thanks in Advance

gcusello · ‎05-09-2024

Hi @vineela,

have you always the backslashes in your logs?

if yes, you should consider them in the regex:

in regex101.com https://regex101.com/r/7Fq96D/1

errorCode\s*\=\s*\\\"(?<errorCode>[^\\]+)

but in Splunk you must try:

| rex "errorCode\s*\=\s*\\\\\"(?<errorCode>[^\\]+)"

Ciao.

Giuseppe

not able to fetch values from log

alert action

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector