Solved: How to extract fields from my sample data and incl...

krishananth · ‎04-07-2015

Hello,

I'm evaluating splunk to capture data for raising data alerts, raising technical alerts etc.
Most of data generated is using Log4J2. I'm able to forward data from an Linux machine to a receiver (in windows PC).
I'm able to view real-time search. Now I need to filter the data based on regex or any expression and link it to email Alerts.
I tried using fields, but it seems complex to extract data from my search results.
Below is sample data:

2015-04-07 17:05:09,019 ERROR o.m.e.DefaultMessagingExceptionStrategy [[SplunkErrorProducer-vv3].SplunkErrorProducerFlow.stage1.02] 
********************************************************************************
Message               : Component that caused exception is: DefaultJavaComponent{SplunkErrorProducerFlow.component.207509504}. Message payload is of type: String
Code                  : MULE_ERROR--2
--------------------------------------------------------------------------------
Exception stack is:
1. payload contents =
Printing: 
CommonProductResult #0 {..... 250 lines more ...}
*********************************************************************************

My questions are:
1) How do I extract data beginning from "payload contents" to the "********" line (around 250 lines - which are not fixed).
2) Even if I define a field, how can the field data be part of the email body for an alert?

Could you help me on this? Is field object necessary or any other way to extract data based on specific pattern and link it to email Alerts?

Thank you,

Ananth

esix_splunk · ‎04-07-2015

For the regex, you can first test with in an inline REX using multiline capture:

[search] | rex field=_raw "(?s)payload contents = (?<myfield>[^\*]+)\n\*+"

May need to adjust that a bit, I dont have time right now to run that through a regex validator.. Once that fields extracted, you can reference the field in alerts.. One way is to add the ... | table _time myfield ... to the end of your savedsearch..

View solution in original post

esix_splunk · ‎04-07-2015

For the regex, you can first test with in an inline REX using multiline capture:

[search] | rex field=_raw "(?s)payload contents = (?<myfield>[^\*]+)\n\*+"

May need to adjust that a bit, I dont have time right now to run that through a regex validator.. Once that fields extracted, you can reference the field in alerts.. One way is to add the ... | table _time myfield ... to the end of your savedsearch..

krishananth · ‎04-08-2015

Hi,

I'm using the following search query to pick the payload contents.

sourcetype=MY_DEV source="/my_esb/logs/splunkerrorproducer.log" ERROR | rex field=_raw "(?s)payload contents =(?<my_field>[^\*]+)\n\*+"

However when I view the alert, it contains all additional information and it is due to the ERROR in the query. If I remove ERROR, the search returns no results.

I think there is some problem with regex in the search. The above search works without ?< my_field > in an online regex tool.
Is there anything missing to use regex and fields?

Ananth

krishananth · ‎04-10-2015

Hi Esix_splunk,

I was bit unclear on the pipe symbol (assuming it as OR). Now, I'm able to extract exception message based on regex pattern, refer it to a field, create an alert with 2 columns (_time and my field). This looks better now.

Thanks for your answer.

Ananth

How to extract fields from my sample data and include these results in an email alert?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!