I've got an alert I put together and am trying to REX multiple pieces of it out to their own columns. This is against the Splunk internal logging. I had no problem pulling errorCode since it has a cl...
See more...
I've got an alert I put together and am trying to REX multiple pieces of it out to their own columns. This is against the Splunk internal logging. I had no problem pulling errorCode since it has a clearly defined field-within-a-field, but I'm not able to pull a subset string of another part of the message
Query index=_internal sourcetype=sfdc:object:log log_level=ERROR OR log_level=WARNING | rex "\"errorCode\":\"(?<errorCode>[^\s]+)\"" | stats count(stanza_name) by stanza_name, log_level, errorCode, message
I've got the message at the end just to give me the query error, but what I'd like to do is REX that also like I did to get the errorCode as its own column. Below is a sample message, with the part in bold what I'd like to rex out to its own column. I can't find an example of doing that where there isn't a clear delineation within the message like "errorCode":"<error>"
[{"message":"\nFoo,Bar,FooBar,FooBar2\n ^\nERROR at Row:1:Column:232\nNo such column 'FooBar2' on entity 'MyAwesomeObject'. If you are attempting to use a custom field, be sure to append the '__c' after the custom field name. Please reference your WSDL or the describe call for the appropriate names.","errorCode":"INVALID_FIELD"}]