Hello,
I'm running a streamstats command that prints out a series of previously-searched events. There are often more than one "ERROR" events within each group. As such, I want to rex the entire ERROR message (composed of multiple lines). Below is an example ERROR event (in BOLD).
2017-03-08 10:34:34,067 [ WARN] {Application Queue} (com.iba.tcs.beam.bds.devices.impl.gateway.rpc.ScanningControllerProxy) - ScanningController failure: NECU Transitioned to Error State NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01) SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)
As you can see, there are multiple lines for a single timestamp. I want to rex everything after the "ScanningController failure:" string. So the result would simply look like this:
NECU Transitioned to Error State NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83 RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01) SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)
How do I do this? I tried the following but it does not work: | rex "Transitioned to Error State: .?(?<_error_msg>.?)$"
It would also be nice to extract that timestamp as well and place it in a variable if someone can help me do so!
Thank you in advance!
Can you try
rex "^(?P<time>[^\,]*)\,.*ScanningController failure\:\s(?<error_msg>.*)$"
Hey there,
| rex "Transitioned\sto\sError\sState\s+(?<ALL_ERROR_LINES>[\n\r\s\S\d]+)"
| rex max_match=10 "^(?<AA>[A-Z]+\sError:\s[^\n]+)"
props.conf
[your_sourcetype]
REPORT-multi_errors = multi_error_values
transforms.conf
[multi_error_values]
REGEX = ^(?<_KEY_1>[A-Z]+\sError):\s(?<_VAL_1>[^\n]+)
REPEAT_MATCH = true
CLEAN_KEYS = 1
Hope it helps.
Can you try
rex "^(?P<time>[^\,]*)\,.*ScanningController failure\:\s(?<error_msg>.*)$"
All I get from your rex is the following:
"NECU Transitioned to Error State" (this corresponds to the first line only. I need the remaining four lines as well. How do I grab those?
FYI, the logfile looks like this:
2017-03-08 10:34:34,067 [ WARN] {Application Queue} (com.iba.tcs.beam.bds.devices.impl.gateway.rpc.ScanningControllerProxy) - ScanningController failure: NECU Transitioned to Error State
NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83
FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83
RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01)
SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)
Try this regex string
ScanningController failure:\s(?<error_msg>.*)
The timestamp is already in a field called _time
.
BTW, you shouldn't start your field names with an underscore. Such fields names are reserved by Splunk.
All I get from your rex is the following:
"NECU Transitioned to Error State" (this corresponds to the first line only. I need the remaining four lines as well. How do I grab those?
FYI, the logfile looks like this:
2017-03-08 10:34:34,067 [ WARN] {Application Queue} (com.iba.tcs.beam.bds.devices.impl.gateway.rpc.ScanningControllerProxy) - ScanningController failure: NECU Transitioned to Error State
NECU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83
FCU Error: [0x0] _SynchronizationSGCUTimeout : Timeslice: 163 Submap: 83
RCU Error: [0x1] Threshold Violation : Timeslice: 162 Submap: 83 (X_VOLT_SEC_FB: -1.858963 V MapThresholdLow: -6.005e-02 MapThresholdHigh: 4.256e-01)
SGCU Error: [0x10] _FilteringAbsolute : Timeslice: 159 Submap: 83 (MIN_CHARGE_PRIM: 6.159e-10 C AbsoluteThresholdLow: 7.119e-10 AbsoluteThresholdHigh: 7.569e-10)
Try adding the single line flag:
(?s)ScanningController failure:\s(?<error_msg>.*)