Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract text from an error message in a log that follows a pattern?

Bliide
Path Finder
‎06-19-2014 07:43 AM

I am battling a field extraction. I am trying to get the text extracted from an error message in a log that follows a pattern. Here are a couple of examples of lines in the log:

LOG ERROR:6/6/2014 3:37 PM:Error during accepting socket connection - A blocking operation was interrupted by a call to WSACancelBlockingCall

LOG ERROR:6/5/2014 1:21 PM:NHibernate.dll wasn't found. NHibernate Service Browser and Handler won't be working

I am trying to extract the text after "LOG ERROR:6/6/2014 3:37 PM:". I have tried the following extraction:

(?i)\w+\s+\w+:\d+/\d+/\d+\s+\d+:\d+\s+\w+: (?P.+)

What am I missing? The field extraction fails. I do not know if I have an error in the REGEX or in the general layout of the field extraction.

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎06-19-2014 07:55 AM

Try this

 "(?i)^(?:[^:]*:){3}(?P<ErrorMessage>.+)"

Updated:

Give this a try

"(?i)^LOG ERROR(?:[^:]*:){3}(?P<ErrorMessage>.+)"
0 Karma
Reply

rakeshkumar_sah
New Member
‎11-12-2015 02:24 AM

hi , i have the logs followed with the structure like this:
...... - Start Performance Logging: [txID=12345678910-EJBClient987654321-EJBServer45678910; method=getValue]

how can i extract the EJBServer45678910- theses values from the txID ?

I would be greatful for the response. Since from my of my logs i have to extract the EJBServerxxxxxx values.,

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2015 10:25 AM

Please post a new question instead of hijacking an old question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-24-2014 10:11 AM

do in 2 parts : a search condition to find all the errors events, and then a field extraction to generate the new field.

<mysearch> "LOG ERROR" | rex "(?i)^(?:[^:]*:){3}(?P<ErrorMessage>.+)" | table ErrorMessage

0 Karma
Reply

Bliide
Path Finder
‎06-24-2014 09:04 AM

The suggested regex works great. My problem now is that there is another line in the logs that matches the format of the one I want. The data I want contains the text "log error". The data I do NOT want contains the test "log info". Is there a way to modify the regex to exclude the "log info" lines?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...