Hi
i'm currently using following regex to match different types of exception.
(?i:[^.]+.)*(?P
sample log
06 Sep 2013 18:59:59,924 [WebContainer : 4] ERROR - Remote Exception while updating CSA Details
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.RemoteException: ; nested exception is:
org.springframework.jdbc.UncategorizedSQLException: CallableStatementCallb
``ack; uncategorized SQLException for SQL [{call
PX_CO_AC_AGREEMENT_MASTER_PG.spt_update(?, ?, ?, ?, ?, ?)}]; SQL state [72000]; error code
[20002]; ORA-20002: Record has been modified since last retrieved - Resubmit transaction for
parameter(s) p_acag_agreement_id_in values of which are => 1463755
ORA-06512: at "ACCOUNT_OWNER.PX_CO_AC_AGREEMENT_MASTER_PG", line 91
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at line 1
; nested exception is java.sql.SQLException: ORA-20002: Record has been modified since last
retrieved - Resubmit transaction for parameter(s) p_acag_agreement_id_in values of which are
=> 1463755
ORA-06512: at "ACCOUNT_OWNER.PX_CO_AC_AGREEMENT_MASTER_PG", line 91
ORA-06510: PL/SQL: unhandled user-defined exception
ORA-06512: at line 1
the regex is matching SQLException(Bold) but i need match UncategorizedSQLException(Bold) once from the above log entry.
i tried like even like this (?i:[^.]+.)*(?P[a-zA-Z]+Exception|UncategorizedSQLException)but it was not successfull.
Any help on this.
As suggested in @MuS answer, try the different values in a regex tester (you could also use the built-in one in Splunk Web).
I think you need to consider some other things, though:
... ack; uncategorized SQLException for SQL ...
). Additionally, the values are not the first exceptions mentioned in the event.Exception
. You might need to detect exceptions based on position, or by filtering your results to only events that should mention exceptions.com.foo.framework.net.http.NotFoundException
and org.bar.gofish.hand.NotFoundException
). If you're doing statistics based on these extractions, that could give you bad results.How can i do this, any example or doc?
You probably found a solution, but: rex max_match=0 ...
will extract as many values as there are, and make the field multivalued. See http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/rex
You could have an extraction that creates a multivalue field.
How can i do this, any example or doc?
I need to extract one exception from each event and show the count in the form of chat.
The above example log is one event in which initially I extracted java.rmi.ServerException-> "Server exception"
You could have an extraction that creates a multivalue field. Then you could filter out ServerException
and other generic ones when doing the stats and chart, so your chart can include any new exceptions that turn up.
Any suggestion on how to tackle this problem.
Extract the whole name, then categorize afterwards, e.g. stats count(eval(match(exception, "SQL"))) as SQLExceptions
.
hi laserval,
I need to extract one exception from each event and show the count in the form of chat.
The above example log is one event in which initially I extracted java.rmi.ServerException-> "Server exception" but now I've to match org.springframework.jdbc.UncategorizedSQLException -> "UncategorizedSQLException" instead of Server exception.
Yeah last point is valid one there could be different fully-qualified names. Any suggestion on how to tackle this problem.
Hi prad18
quick one would be like this:
(?<test>(\sSQL|(\w+\.){3}\w+SQL)+Exception)
this matches org.springframework.jdbc.UncategorizedSQLException and SQLException
You can test your regex by using this nice online regex tester
hope this helps ...
cheers, MuS
while posting comments slashes are being removed. I made typo with rex command that's why it was not working then i added assetion like ((w+.){2,6})(?
Thanks a lot for help MuS
Hi sure it does, you must include \
like this
((\w+\.){2,6})(?<test>\w+\b)
it will create new fields called test
Hi MuS,
((w+.){2,6})(?
well that was what you requested in first place 😉
To match the last word in any of the above provided errors you could use something like this:
((\w+\.){2,6})(?<test>\w+\b)
cheers
It is matching only org.springframework.jdbc.UncategorizedSQLException, SQLException these
But actually I need to match following
An Error has occured for com.marsh.csa.exception.NoClientInfoFound:-->NoClientInfoFound
handleException():com.marsh.framework.core.exception.MarshException:-->MarshException
Found Exception, class:java.lang.NullPointerException-->NullPointerException
org.springframework.dao.DataAccessResourceFailureException-->DataAccessResourceFailureException
org.springframework.jdbc.UncategorizedSQLException-->UncategorizedSQLException
Just last words not entire package name.