I have multiple events in Splunk like below :
Exception:100 : *** Error 3006 Logons are disabled., Job=ABC
Exception:XYZ API has failed. Exception: RDBMS error 2801: Duplicate unique prime key error, Job=ABC
Exception:100 : RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map., Job=ABC
I am looking for the text between "Exception:" and ", Job"
Output desired :
*** Error 3006 Logons are disabled.
RDBMS error 2801: Duplicate unique prime key error
RDBMS error 2640: Specified table either does not exist in DEX or is moved to another map.
I was trying split like below, however in some events , "Exception:" appears twice. Hence second case above , gives me XYZ API has failed :
eval temp=split(_raw, "Exception:") | eval temp1 = mvindex(temp,1) | eval temp2=split(temp1,"), Job") | eval EXCEPTION=mvindex(temp2,0)
Is there any way to split based on second or last occurrence of Exception in the event ?
Thank you for any suggestion/help.
Use a negative index
| eval temp=split(_raw, "Exception:")
| eval temp1 = mvindex(temp,-1)
| eval temp2=split(temp1,", Job")
| eval EXCEPTION=mvindex(temp2,0)
Use a negative index
| eval temp=split(_raw, "Exception:")
| eval temp1 = mvindex(temp,-1)
| eval temp2=split(temp1,", Job")
| eval EXCEPTION=mvindex(temp2,0)
Hi @ppatkar,
please try this regex:
| rex "(Exception:)(?!.*\1)(?<exception>[^,]+),\s+"
that you can test at https://regex101.com/r/5hGUXo/1
Ciao.
Giuseppe
Thanks @gcusello . It works in general , however it breaks when my Exception has "," in it .
Ex : Exception:XYZ API has failed. Exception: ApiError(ERR361, No bucket found), Job=ABC
Output desired in this case : Exception: ApiError(ERR361, No bucket found)
Hi @ppatkar,
please, try this:
| rex "(Exception:)(?!.*\1)(?<exception>.+),\s+Job"
that you can test at https://regex101.com/r/5hGUXo/2
Ciao.
Giuseppe