Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract text from an error message in a log that follows a pattern?

Bliide
Path Finder
‎06-19-2014 07:43 AM

I am battling a field extraction. I am trying to get the text extracted from an error message in a log that follows a pattern. Here are a couple of examples of lines in the log:

LOG ERROR:6/6/2014 3:37 PM:Error during accepting socket connection - A blocking operation was interrupted by a call to WSACancelBlockingCall

LOG ERROR:6/5/2014 1:21 PM:NHibernate.dll wasn't found. NHibernate Service Browser and Handler won't be working

I am trying to extract the text after "LOG ERROR:6/6/2014 3:37 PM:". I have tried the following extraction:

(?i)\w+\s+\w+:\d+/\d+/\d+\s+\d+:\d+\s+\w+: (?P.+)

What am I missing? The field extraction fails. I do not know if I have an error in the REGEX or in the general layout of the field extraction.

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2014 07:55 AM

Try this

 "(?i)^(?:[^:]*:){3}(?P<ErrorMessage>.+)"

Updated:

Give this a try

"(?i)^LOG ERROR(?:[^:]*:){3}(?P<ErrorMessage>.+)"
0 Karma
Reply

rakeshkumar_sah
New Member
‎11-12-2015 02:24 AM

hi , i have the logs followed with the structure like this:
...... - Start Performance Logging: [txID=12345678910-EJBClient987654321-EJBServer45678910; method=getValue]

how can i extract the EJBServer45678910- theses values from the txID ?

I would be greatful for the response. Since from my of my logs i have to extract the EJBServerxxxxxx values.,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2015 10:25 AM

Please post a new question instead of hijacking an old question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-24-2014 10:11 AM

do in 2 parts : a search condition to find all the errors events, and then a field extraction to generate the new field.

<mysearch> "LOG ERROR" | rex "(?i)^(?:[^:]*:){3}(?P<ErrorMessage>.+)" | table ErrorMessage

0 Karma
Reply

Bliide
Path Finder
‎06-24-2014 09:04 AM

The suggested regex works great. My problem now is that there is another line in the logs that matches the format of the one I want. The data I want contains the text "log error". The data I do NOT want contains the test "log info". Is there a way to modify the regex to exclude the "log info" lines?

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...