Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show all message from certain log via rex?

ivana27
Path Finder
‎03-01-2021 11:47 PM

Hi dear Splunkers,

i have log like this :

2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 not dispensed for Carouserl_Error !!!

And i would like to display everything after [Error] **.

I tried like this but i got error:

| rex "\[Error\]\s**\s(?<message>)"

Please help

Thank you

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2021 11:52 PM 
| rex "\[Error\]\s\*\*\s(?<message>.*)"

View solution in original post

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2021 11:54 PM

@ivana27 

 

Can you please try this?

| rex "\[Error\]\s\*\*\s(?<message>.*)"


 Sample Search:

 

| makeresults 
| eval _raw="2021-02-11 14:47:51.167 [Error] ** Dummy User with dummyNumb:1111 Plate:AAAAA Country:Dummy paid dummy on DunnoOrder:2222222, but Dum sz: erere:45454545 not dispensed for Carouserl_Error !!!" 
| rex "\[Error\]\s\*\*\s(?<message>.*)"

 

Tags (1)
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-01-2021 11:55 PM

oops.. late reply 🙂 

0 Karma
Reply
Solved! Jump to solution

ivana27
Path Finder
‎03-02-2021 12:13 AM

Thank you in any case 🙂

Do you know how to put messages from Error one after another and not in horizontal view?

@kamlesh_vaghela 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2021 12:22 AM

What delimits the parts of the message you want to separate?

0 Karma
Reply
Solved! Jump to solution

ivana27
Path Finder
‎03-02-2021 12:34 AM

Should be split by _time of log, should look like this

2021-02-12 00:35:20.820  [Error] ## sample1 bla bla bla
2021-02-12 00:35:20.836  [Information] sample2 bla bla bla
2021-02-12 00:35:30.731 [Information] sample3 bla bla bla
2021-02-12 00:35:31.429 [Information] sample4 bla bla bla
2021-02-12 00:35:31.506 [Error] ## sample5 bla bla bla
2021-02-12 00:35:31.519 [Error] ** sample6 bla bla bla

And now i have search like this which displays in same row:

index=pkg_prespvm host IN (*)
| dedup _raw
| transaction host startswith="[Information] STEP = Dummy" endswith="[Information] -- START TRANSACTION --"
| rex field=_raw "plate:(?<info>[^,]+)"
| rex "\[Error\]\s\*\*\s(?<message>.*)"
| rex "\[Error\]\s\##\sGet\sDuuno\sTransaction\s(?<tranok>.*)"
| rex "\[Error\]\s\CustNum:\s(?<customer>.*)"
| search "Get Transaction NOK --> Payment:OK"
| stats count by host _time tranok message customer info
| table _time host customer tranok message info

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎03-02-2021 12:19 AM
Can you please share your expected sample output. So I can help you..
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-01-2021 11:52 PM 
| rex "\[Error\]\s\*\*\s(?<message>.*)"
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...