Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help with REX and Panels

karanvirsharma
New Member
‎04-14-2017 07:54 AM

Hi, I am newbie to Splunk.
Here's some of my sample logs, where I need to count the number of occurrences for each of these exceptions. Also I would like to build a Panel that gives me these Unique (in Bold below) occurrences.

org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

DEBUG org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'West Virginia Mountaineer No Color Yth XL Youth Girls CO3 Judo Flee' with length = '67' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

This is what I have written so far:

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)"  | timechart span=1d count by to

The problem that I have is when I put it in Panel, event though it shows the counts but it still shows "Count" as NULL and when I try to drill through it, it doesn't show any logs (until I clear out the bold text below)

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)"  | **search to=NULL**

alt text

So please help me how can I find all these unique "exception strings" and also how can I make sure that my count doesn't show Null and when I click on the drill through in panel the search works fine.

Preview file
1 KB
0 Karma
Reply

gokadroid
Motivator
‎04-14-2017 11:13 PM

Assuming your intention was to catch the red pieces from this log line:

org.xml.sax.SAXParseException: cvc-maxLength-valid: Value Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

How about you give this a try so that first text of interest gets caught in field from and second text of interest gets caught in field to, as is done in below query:

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" 
| rex field=_raw ".*cvc-maxLength-valid:\sValue\s(?<from>.*)\sis not facet-valid with respect to maxLength '65'for type (?<to>.*)"
| timechart span=1d count by to useother=f usenull=f

Hope it helps! See extration here

0 Karma
Reply

beatus
Communicator
‎04-14-2017 09:56 AM

karanvirsharma,
You have three options here:

  1. Make that rex a field extract. You can do this by adding it to props.conf under that sourcetype as such: props.conf

[my_sourcetype]
EXTRACT-from_to = SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?.*) is not facet-valid with respect to maxLength '65'(?.*)

This will cause the field to be automatically extracted.
2. Replace your < and > with the encoded version (< == &lt; and > == &gt;)
3. Utilize CDATA for the search in the XML:

<param name="search"><![CDATA[ index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)" | timechart span=1d count by to]]></param>

Hope this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...