All Apps and Add-ons

Field values with spaces

tkwaller
Builder

Hello

I'm trying to use a field that has values that have spaces.

For example: errorMsg=Requested tickets could not be reserved

another example: errorMsg=System.ObjectDisposedException: The factory was disposed and can no longer be used. Object name: 'this'.

The problem is that the messages contain spaces. All of the messages are different in this field, some longer with less spaces and some shorter. When I do a stats count command on the errorMsg field but all I get is the first word of the string.

Any ideas on how I can correct this?

I also tried using the Field Extractor but alas no good.

Thank you!

0 Karma
1 Solution

linu1988
Champion

Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.

source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error

Thanks

View solution in original post

0 Karma

tkwaller
Builder

Both of these seemed to be correct answers. The first solves inline and the second works great as an extraction. Thanks for the help guys, I greatly appreciate it!

0 Karma

linu1988
Champion

Well you could extract the value from the the event and then assign it to a new filed. Take a chance with the below one.

source...| rex field=_raw "errorMsg=(?P<Error>[\S\s]+)" |stats count by Error

Thanks

0 Karma

tkwaller
Builder

yes after the = sign there is always a message like examples above. It is NEVER NULL. When I use the stats command I only get the first word of the message

0 Karma

linu1988
Champion

i meant after = sign do you have the error message or do you get something else??

0 Karma

tkwaller
Builder

but it is always more than one word

0 Karma

tkwaller
Builder

No sometimes it is something more simple as: errorMsg=Requested tickets could not be reserved

0 Karma

linu1988
Champion

do you have the entire sentence always as the error message after errorMsg=?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...