Hi,
I am trying to extract error message and error code from logs in Splunk.
I can see 2 patterns of these-
pattern 1 --> error code ASDAGWS_SEARCH_EMPTY_RESULTS error message Sorry, we can't find anything that matches your search for crumbly lancashire
the regex for ths is--> error\scode\s(?.*)\serror\smessage\s(?.*)
pattern 2 --> errorcode=ASDAGWS_InvalidPageNumberOrSize&errormsg=Incorrect page number or size&RO=null
the regex for ths is-->errorcode\=(?.*)_Error\&errormsg=(?.*)
I want to extract pattern 1 first if the first pattern does not exist in the event, 2nd pattern will exist for sure, and I want to extract that.
The regex I have written is as follow--but this is not working
| rex field=_raw "(error\scode\s(?.*)\serror\smessage\s(?.*) OR errorcode\=(?.*)_Error\&errormsg=(?.*)
can someone let me know how can I proceed with that.
... View more