- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use OR in regex to capture error messages f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use OR in regex to capture error messages from two different patterns of log files?
So I have the following log structure:
Oct 7 13:51:05, 10.96.3.29, 10.96.3.29, domain:,default [xyz][0x80e003aa][xmlparse][error] mpgw(AbcService): trans(2389130247)[request]: mismatched tag, expected meta at offset 675 of http://xyz/sales/zyx
Oct 7 13:51:05, 10.96.3.28, 10.96.3.28, domain:,default [abc][0x80e00161][mpgw][error] source-http(XyzService): trans(363541717)[x.x.x.x]: Request processing failed: Connection terminated before request headers read because of the connection error occurs, from URL: x.x.x.x:60510
I am trying to get the error_msg in a variable, but since the pattern is not distinct, I have to OR the matching pattern which matches anything after [request]: as Error and anything after [X.X.X.X]: as Error.
I created a regex which work well on a regex tester, but Splunk gives an error:
Error in 'rex' command: Encountered the following error while compiling the regex
'\[error\][^\(]+\((?<service>[^\)]+).+(trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+) | trans\((\d+){8}\)\[request\]\:\s+(?<error_msg>.+))': Regex: two named subpatterns have the same name
Below is my regex:
\[error\][^\(]+\((?<service>[^\)]+).+(trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+) | trans\((\d+){8}\)\[request\]\:\s+(?<error_msg>.+))
How to capture the ErrorMessage from the two pattern of log files ?
Extracting the fields doesn't work either and gives a lot of junk, so I would like to go through the regex way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi vineetc,
Try this regex pattern:
\[error\].+?:\strans\(\d+\)\[(?:request|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]:\s(?<error_msg>.+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
Your Base Search | rex "\[error\][^\(]+\((?<service>[^\)]+).+(trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg1>.+) | trans\((\d+){8}\)\[request\]\:\s+(?<error_msg2>.+))" | eval error_msg = coalesce(error_msg1, error_msg2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a way to make your regex more efficient/cleaner but the quickest answer is:
\[error\][^\(]+\((?<service>[^\)]+).+(trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+|trans\((\d+){8}\)\[request\]\:\s+)(?<error_msg>.+)
Use a pipe (|) within a capture group as an OR operator. You only specify (?.+) once.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not tested this but just eye balling it, looks like you could get the error message with something like:
trans\(\d+\)\[[^\]+\]\:\s+(?<error_msg>.+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to add a character(?J) before the variable but seems like I still do get a lot of NULL in error_msg so something is there is my log which still doesnt match
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about:
\]\:\s(?<error_msg>.+)
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
