Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do newline splitting for a single event

sumitnagal
Path Finder
‎09-12-2012 05:58 PM

Hi,
I want to identified the exception caused by my API to the external API. here is example, I am looking for below output

14 Jun 2012 07:38:55,280 [ABCD] ERROR my.classname (46) - The exception value: An error occurred while processing the request on the server: System.Runtime.Remoting.RemotingException: Server is busy. Try request again later.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:188)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy207.retrieveDeploymentById(Unknown Source)
at com.test.abc.my(classname:46)

I am looking for below output

14 Jun 2012 07:38:55  my.class 46  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException System.Runtime.Remoting.RemotingException

I am trying below query, but not sure how can do line breaking after getting value.

search | rex "(?i)^(?P<DATEFIELD>[^,]+),\\d+\\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+)\(\d+\)\\s-\\s(?P<FIELDNAME2>[^-]+)" | rex "(?i)\tat (?P<FIELDNAME3>[^\(]+)"

Thanks,
Sumit

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException

View solution in original post

Reply
Solved! Jump to solution

sumitnagal
Path Finder
‎10-07-2013 02:48 AM

This is very close to what I am looking, but I can't use FIELDNAME as it may have few lines or may have too many lines. I have to parse all the lines, please suggest how do I get specific liie , com.test.abc.my from the list of stack trace.

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException
Reply
Solved! Jump to solution

wjblazek
Explorer
‎10-28-2014 04:23 PM

Yes Thanks!

The "[\r\n]" was the key I needed to search across line breaks:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?si)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Also (?m) seems to work like (?si) to tell rex to work across multiple lines:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?m)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Is there any significant difference between (?m) and (?si) ?

Is this documented anywhere?

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎10-31-2014 04:33 PM

pcre modifiers - http://php.net/manual/en/reference.pcre.pattern.modifiers.php

0 Karma
Reply
Solved! Jump to solution

johnnyzebra
Engager
‎07-07-2014 04:16 PM

Thanks!
This helped me resolve an issue where a rex I used in my search would not work when I did it as a field extraction. (grabbing everything up to the end of the line) It seems as if the field extraction was applying the si, so my \n wouldn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...