So I have the following log structure:
Oct 7 13:51:05, 10.96.3.29, 10.96.3.29, domain:,default [xyz][0x80e003aa][xmlparse][error] mpgw(AbcService): trans(2389130247)[request]: mismatched tag, expected meta at offset 675 of http://xyz/sales/zyx
Oct 7 13:51:05, 10.96.3.28, 10.96.3.28, domain:,default [abc][0x80e00161][mpgw][error] source-http(XyzService): trans(363541717)[x.x.x.x]: Request processing failed: Connection terminated before request headers read because of the connection error occurs, from URL: x.x.x.x:60510
I am trying to get the error_msg in a variable, but since the pattern is not distinct, I have to OR the matching pattern which matches anything after [request]: as Error and anything after [X.X.X.X]: as Error.
I created a regex which work well on a regex tester, but Splunk gives an error:
Error in 'rex' command: Encountered the following error while compiling the regex
'\[error\][^\(]+\((?<service>[^\)]+).+(trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+) | trans\((\d+){8}\)\[request\]\:\s+(?<error_msg>.+))': Regex: two named subpatterns have the same name
Below is my regex:
\[error\][^\(]+\((?<service>[^\)]+).+(trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+) | trans\((\d+){8}\)\[request\]\:\s+(?<error_msg>.+))
How to capture the ErrorMessage from the two pattern of log files ?
Extracting the fields doesn't work either and gives a lot of junk, so I would like to go through the regex way.
... View more