Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

whats the rex command to filter the special characters and extract only required fields?

guru89044
Explorer
‎02-25-2018 09:45 PM

Hello experts,

logs looks something like this..

(java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException:...

null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
" java.util.concurrent.ExecutionException"

query should ignore the special characters before java and take only exception.

example: query should find "java.lang.IllegalArgumentException" from this log line "null\n\njava.lang.IllegalArgumentException".

I am able to pull exceptions which are not associated with special characters using rex "(?java?.[.\w]+Exception)" but

thanks

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎02-26-2018 01:39 AM

can you please provide full sample events and output you want?

0 Karma
Reply

bangalorep
Communicator
‎02-26-2018 01:15 AM

Hello!
Try this run anywhere search

| makeresults 
| eval _raw="null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
\" java.util.concurrent.ExecutionException\"" 
| rex field=_raw max_match=0 "(?<javaexception>java?.[.\w]+Exception)"

You can try something like this

| rex field=_raw (?<javaexception>java?.[.\w]+Exception)

OR

| rex field=_raw (?<javaexception>java.*Exception)
0 Karma
Reply

guru89044
Explorer
‎02-26-2018 01:34 AM

ddint work. its not correct.

0 Karma
Reply

bangalorep
Communicator
‎02-26-2018 01:37 AM

I edited my answer. did you check?
Also, if its not correct can you elaborate by giving sample inputs and what output you want

0 Karma
Reply

bangalorep
Communicator
‎02-26-2018 02:01 AM

Try this run anywhere search 

| makeresults 
| eval _raw="null\n\njava.lang.IllegalArgumentException
: java.util.concurrent.ExecutionException..
( java.util.concurrent.ExecutionException)
\" java.util.concurrent.ExecutionException\"" 
| rex field=_raw max_match=0 "(?<java>(\S+|)java.\w+.*Exception)"
0 Karma
Reply

guru89044
Explorer
‎02-26-2018 02:40 AM

no rex command is still not working.

0 Karma
Reply

bangalorep
Communicator
‎02-26-2018 02:47 AM

Can you please send me one full event? Also, please send the search query you're using.

0 Karma
Reply

guru89044
Explorer
‎02-26-2018 03:43 AM

my end goal is

https://answers.splunk.com/answers/620096/how-to-get-the-list-of-unique-exceptions-which-are.html

0 Karma
Reply

bangalorep
Communicator
‎02-26-2018 04:00 AM

For this, you need to use max_match=0 in the rex expression.

Use this query

rex field=_raw max_match=0 "(?<java>(\S+|)java.\w+.*Exception)"
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...