Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my "eval field=substr..." syntax to remove part of a stacktrace after a certain string?

sickyb
Engager
‎12-29-2015 08:23 AM

Hi

I'm trying to create a dashboard where I count stacktraces in the logging. (the long term goal is to get rid off all stacktraces but we need to prioritize 🙂 )

To do this, I need to cut off the low level part of the stacktrace, the part that doesn't come from our code, but from the libraries that are packed with the distribution of the OS.

The cut-off point is easily recognized because it starts with at android.os, so I need to do something like:

eval action=substr(action,0,<xxx>)

where <xxx> is the position in the string that starts with "at android.os"

Any ideas on how to do this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2015 09:21 AM

Are you married to using substr? If not, rex can do the job. Try 

... | rex field=action "(?<action>.*) at android\.os" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2015 09:21 AM

Are you married to using substr? If not, rex can do the job. Try 

... | rex field=action "(?<action>.*) at android\.os" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sickyb
Engager
‎12-30-2015 01:04 AM

Nope not married to substr but your regex leaves me with an error 

Regex: unrecognized character after (? or (?-

So I added the fieldname after the ? leaving me with 

rex field=action "(?/.*) at android\.os"

Which left me with the entire stacktrace once again. This led me to believe that the regex indeed matches the right string but then doesn't cut the rest of it. Beacause the stacktrace is sent from a mobile device it is compacted in a single line, no endlines there. So when I added mode=sed to the expression I got 

Failed to initialize sed. cannot find sed command: (
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2015 05:08 AM

The board dropped a key piece from my answer, which I have corrected. Try again.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sickyb
Engager
‎12-30-2015 05:33 AM

That is precisely what i did. but like i said that leaves me with the entire stacktrace instead of just the part before the "at android.os"

the editor for this q&a forum probably does some input sanitation throwing away the part with the triangular brackets
< >

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2015 05:36 AM

Hmm... I wonder if rex needs separate field names. Try 

rex field=action "(?<newAction>.*) at android\.os"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sickyb
Engager
‎12-30-2015 06:09 AM

Nope still the same.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2015 06:15 AM

Did you remove the 'mode=sed'? Can you share a stacktrace so I can make sure the regex is correct?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sickyb
Engager
‎12-30-2015 06:37 AM

java.lang.NullPointerException: Attempt to invoke virtual method 'android.content.SharedPreferences android.content.Context.getSharedPreferences(java.lang.String, int)' on a null object reference at rd.random.mized.a.a(SourceFile:26) at rd.random.mized.connectivity.statusapp.d.b(SourceFile:89) at rd.random.mized.connectivity.statusapp.d.a(SourceFile:50) at rd.random.mized.c.a.a(SourceFile:99) at rd.random.mized.c.a.a(SourceFile:49) at rd.random.mized.connectivity.statusapp.c.a(SourceFile:47) at rd.random.mized.connectivity.statusapp.c.a(SourceFile:28) at rd.random.mized.connectivity.ConnectionHandler$1.run(SourceFile:101) at android.os.Handler.handleCallback(Handler.java:739) at android.os.Handler.dispatchMessage(Handler.java:95) at android.os.Looper.loop(Looper.java:145) at android.app.ActivityThread.main(ActivityThread.java:5832) at java.lang.reflect.Method.invoke(Native Method) at java.lang.reflect.Method.invoke(Method.java:372) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1399) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1194)

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2015 06:35 AM

Thanks for the example event. This rex command works with that data.

rex field=action "(?<newAction>.*?) at android\.os"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sickyb
Engager
‎01-05-2016 12:28 AM

In the end creating a new field using this regex for the extraction worked.

^.*native-shell\;(?P<native_android_stacktrace>.*)\tat\ android.os.Handler

The native-shell part is added because the field extraction is done on the RAW data instead of the action field.
Learning something new every day 🙂 Let's continue doing that in 2016, Happy new year
and Thanks for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...