Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help with REX and Panels

karanvirsharma
New Member
‎04-14-2017 07:54 AM

Hi, I am newbie to Splunk.
Here's some of my sample logs, where I need to count the number of occurrences for each of these exceptions. Also I would like to build a Panel that gives me these Unique (in Bold below) occurrences.

org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

DEBUG org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'West Virginia Mountaineer No Color Yth XL Youth Girls CO3 Judo Flee' with length = '67' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

This is what I have written so far:

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)"  | timechart span=1d count by to

The problem that I have is when I put it in Panel, event though it shows the counts but it still shows "Count" as NULL and when I try to drill through it, it doesn't show any logs (until I clear out the bold text below)

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)"  | **search to=NULL**

alt text

So please help me how can I find all these unique "exception strings" and also how can I make sure that my count doesn't show Null and when I click on the drill through in panel the search works fine.

Preview file
1 KB
0 Karma
Reply

gokadroid
Motivator
‎04-14-2017 11:13 PM

Assuming your intention was to catch the red pieces from this log line:

org.xml.sax.SAXParseException: cvc-maxLength-valid: Value Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.

How about you give this a try so that first text of interest gets caught in field from and second text of interest gets caught in field to, as is done in below query:

index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" 
| rex field=_raw ".*cvc-maxLength-valid:\sValue\s(?<from>.*)\sis not facet-valid with respect to maxLength '65'for type (?<to>.*)"
| timechart span=1d count by to useother=f usenull=f

Hope it helps! See extration here

0 Karma
Reply

beatus
Communicator
‎04-14-2017 09:56 AM

karanvirsharma,
You have three options here:

  1. Make that rex a field extract. You can do this by adding it to props.conf under that sourcetype as such: props.conf

[my_sourcetype]
EXTRACT-from_to = SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?.*) is not facet-valid with respect to maxLength '65'(?.*)

This will cause the field to be automatically extracted.
2. Replace your < and > with the encoded version (< == &lt; and > == &gt;)
3. Utilize CDATA for the search in the XML:

<param name="search"><![CDATA[ index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)" | timechart span=1d count by to]]></param>

Hope this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...