Splunk Search

How to extract fields from my sample data and include these results in an email alert?

krishananth
Explorer

Hello,

I'm evaluating splunk to capture data for raising data alerts, raising technical alerts etc.
Most of data generated is using Log4J2. I'm able to forward data from an Linux machine to a receiver (in windows PC).
I'm able to view real-time search. Now I need to filter the data based on regex or any expression and link it to email Alerts.
I tried using fields, but it seems complex to extract data from my search results.
Below is sample data:

2015-04-07 17:05:09,019 ERROR o.m.e.DefaultMessagingExceptionStrategy [[SplunkErrorProducer-vv3].SplunkErrorProducerFlow.stage1.02] 
********************************************************************************
Message               : Component that caused exception is: DefaultJavaComponent{SplunkErrorProducerFlow.component.207509504}. Message payload is of type: String
Code                  : MULE_ERROR--2
--------------------------------------------------------------------------------
Exception stack is:
1. payload contents =
Printing: 
CommonProductResult #0 {..... 250 lines more ...}
*********************************************************************************

My questions are:
1) How do I extract data beginning from "payload contents" to the "********" line (around 250 lines - which are not fixed).
2) Even if I define a field, how can the field data be part of the email body for an alert?

Could you help me on this? Is field object necessary or any other way to extract data based on specific pattern and link it to email Alerts?

Thank you,

Ananth

1 Solution

esix_splunk
Splunk Employee
Splunk Employee

For the regex, you can first test with in an inline REX using multiline capture:

[search] | rex field=_raw "(?s)payload contents = (?<myfield>[^\*]+)\n\*+"

May need to adjust that a bit, I dont have time right now to run that through a regex validator.. Once that fields extracted, you can reference the field in alerts.. One way is to add the ... | table _time myfield ... to the end of your savedsearch..

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

For the regex, you can first test with in an inline REX using multiline capture:

[search] | rex field=_raw "(?s)payload contents = (?<myfield>[^\*]+)\n\*+"

May need to adjust that a bit, I dont have time right now to run that through a regex validator.. Once that fields extracted, you can reference the field in alerts.. One way is to add the ... | table _time myfield ... to the end of your savedsearch..

krishananth
Explorer

Hi,

I'm using the following search query to pick the payload contents.

sourcetype=MY_DEV source="/my_esb/logs/splunkerrorproducer.log" ERROR | rex field=_raw "(?s)payload contents =(?<my_field>[^\*]+)\n\*+"

However when I view the alert, it contains all additional information and it is due to the ERROR in the query. If I remove ERROR, the search returns no results.

I think there is some problem with regex in the search. The above search works without ?< my_field > in an online regex tool.
Is there anything missing to use regex and fields?

  • Ananth
0 Karma

krishananth
Explorer

Hi Esix_splunk,

I was bit unclear on the pipe symbol (assuming it as OR). Now, I'm able to extract exception message based on regex pattern, refer it to a field, create an alert with 2 columns (_time and my field). This looks better now.

Thanks for your answer.

Ananth

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...