Splunk Search

Pick up the first occurrence of a word

jw44250
New Member

I want to pick only the first occurrence of word .

index = index1 ERROR

Event Result

2017-04-29T18:29:27.246+0000
message test error
testError
requestURl="home/testError"

But I am only interested the word Error, I thought i could with case insenstive search but it is not correct options or != operators this is may too dangerous might lose some other events

0 Karma

danielsofoulis
Path Finder

Try this

index=index1 | rex field=requestURl \w+\/test(?<error>Error) | fields error
0 Karma

somesoni2
SplunkTrust
SplunkTrust

If the location of word ERROR (I'm assuming it's the one that appears after the timestamp) is the filter criteria, try like this

index=index1 ERROR | regex _raw="^\S+\s+ERROR.+"

jw44250
New Member

it works Thanks, but i'm interested only the first occurrence for the word error but not the rest

Log Sample

Line 1 --> 2017-04-29T18:29:27.246+0000
Line 2 -- >message test error
Line 3 --> testError
Line 4 -->requestURl="home/testError"

Only want Line 2 Error which is the first appears of "ERROR"

I used this command and it work but still i can see it select all error of the same event

index = index1 "ERROR"
| regex _raw="\bError\b"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So do you've multiline events (field linecount>1)? If yes, then is there any rule that 'only select the events which has error word in line 2' or something similar? What should happen if instead of line 2 line 3 has word error?

0 Karma

jw44250
New Member

As soon as i see the error i want to stop, it doensn't matter it is in line 1,2 03, etc. it can any where the event.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What you want to do after you picked that first Error word? You want to extract any field value around it?

0 Karma

jw44250
New Member

I dont want to extract to any field, but im interested the whole _raw data

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I think you've got what he means.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

updated 8:00 PM CDT (Central US Daylight Savings TIme)

This should select the first line that has the word "error" in any case, anywhere in the line in it.

index = index1 "ERROR"
| rex field=_raw "(?im)^(?<theline>.*error.*)$"
| table _time theline
0 Karma

jw44250
New Member

hi,

it didnt work , getting error
Error in 'SearchOperator:regex': Usage: regex (=|!=)

and ERROR is not a field

0 Karma

jw44250
New Member

Sample Event Result 1:
2017-04-15T19:19:51.669+0000 ERROR
unknown error..........................
ERROR
....................................requestURI="url/test.error"
.............something happened error

I am interested only the very first appearance of the Error in the row data

Not sure if it correct : getting actual result but it selects every error sample Event Result 1
index= index1 ERROR | regex _raw="\bERROR\b"

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

corrected grammar, try again.

0 Karma

niketn
Legend

Do you intend to perform case sensitive search? You can add the following to your base search CASE("*Error")

https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jw44250
New Member

not really,

I am interested only in the first occurance of the word error and error is not a field.

0 Karma

jw44250
New Member

it would be helpful int the future

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...