Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex to extract exceptionmessage

Bhuavana
Explorer
‎11-07-2014 02:34 AM

Hi,

I have five different types of exceptions and for that messages are logged as shown below :

ClientIp=065162175003 : - caught
com.wu.ws.WUWSException: WS000:WUWSException occured while executing the web service
at sun.reflect.GeneratedConstructorAccessor721

ClientIp=065162175003 : - caught
com.wu.ws.WUWSException: WS000:WUWSException occured while executing the web service
at

ClientIp=065162175003 : - Exception while getting fileApolloWhitelistedCredentials.properties ResourceHandler:getConfirationProperties()
java.io.FileNotFoundException: /apps/mobiliser5.1.0/02/money/conf/ApolloWhitelistedCredentials.properties (No such file or directory)
at
ClientIp=220227031066 : - caught
com.wu.ws.UserIDNotFoundException: W0334:The User Name you entered is incorrect. Please try again.
at

ClientIp=065162175003 : - caught
com.wu.ws.WUWSException: WS000:WUWSException occured while executing the web service
at

ClientIp=220227031066 : - caught
com.sybase365.mobiliser.custom.project.businesslogic.exceptions.WuCustomerLoginException: Failed to login through xx.com by identification: test@MAIINATOR.COM
at

Here i need extract the exception message alone in regex[ keeping ClientIp= as the front reference and at as the end reference- need to extract text between of that] using regex

Please let me know the regex query for the same

Tags (3)
0 Karma
Reply

aholzer
Motivator
‎11-07-2014 08:30 AM

Try this:

rex "(?P<exception_msg>ClientIp=\d{12} : - Exception [^\n]+? at)\n"

I've made a couple of assumptions:

  1. ClientIp= is always followed by exactly 12 digits
  2. That immediately after the ending "at" there is a new line
  3. You want to include both the strings "ClientIp" and "at" in your extraction

Hope this helps

0 Karma
Reply

Bhuavana
Explorer
‎11-10-2014 11:10 PM

Thanks for the update. With few modiifcations im able to fetch half of the message using below regex

| rex field=_raw "ClientIp=\d{12} : - (?(.)+[\n at])"

But above one is skipping message which is at next line.

Any idea how to fetch text at next line?

For ex:

In below log:

ClientIp=065162175003 : - Exception while getting fileApolloWhitelistedCredentials.properties
ResourceHandler:getConfirationProperties()
java.io.FileNotFoundException: /apps/mobiliser5.1.0/02/money/conf/ApolloWhitelistedCredentials.properties (No such file or directory)
at

With my above expression im able to get below text alone :

Exception while getting fileApolloWhitelistedCredentials.properties

But next line starting with ResourceHandler..... and java.io. is not extracted.

Please help to extract the same>?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-07-2014 05:12 AM

It's not clear exactly what text you're trying to extract. Please tell what your expected output is.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Bhuavana
Explorer
‎11-10-2014 11:12 PM

I need to extract message like [for ex: Exception while getting fileApolloWhitelistedCredentials.properties ResourceHandler:getConfirationProperties()
java.io.FileNotFoundException: /apps/mobiliser5.1.0/02/money/conf/ApolloWhitelistedCredentials.properties (No such file or directory] from above logs.
Similar to above text, from above logs text which starts next to : - and ends at [at]

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...