Splunk Search

Creating a new field from a default field

olbinado11
New Member

MessageText=
[2017-07-25T16:29:01.694+10:00]...XXXXXXXXXXXXXXXXXXXXXXXXXX at com.ofss.fc.app.Interaction.analyzeAndThrowException(Interaction.java:1349) Caused by: com.ofss.fc.framework.exception.BusinessException: No address linkage is maintained for Account ID: 74XX15140985.** at com.ofss.fc.domain.account.service.action.accountaddresslinkage.AccountAddressLinkageService.fetchAccountAddressLinkage(AccountAddressLinkageService.java:233) ]]

My goal is to create a new field, "rootcause" where it starts after the string "Caused by: " and ends before the string "at com." I figured rex command will do the trick? I tried field extractor but my searches returns to "no results found".

Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi olbinado11,
try something like this

Caused by:(?<your_field>.*)\sat\scom.

You can test it at https://regex101.com/r/8BdlXU/1
Bye.
Giuseppe

View solution in original post

niketn
Legend

@olbinado11, post your data and current rex command using the code button so that special characters do not escape/get omitted in the post.

In case your event has new line character after each line you will have to use (?s) in the rex command so that DOT (.) matches newline characters as well i.e. | rex field=Message "(?s)Caused by:(?<myField>.*)\sat\s"

| makeresults
| eval Message="[2017-07-25T16:29:01.694+10:00]...XXXXXXXXXXXXXXXXXXXXXXXXXX at com.ofss.fc.app.Interaction.analyzeAndThrowException(Interaction.java:1349) **Caused by: com.ofss.fc.framework.exception.BusinessException: No address linkage is maintained for Account ID: 74XX15*140985.* at com.ofss.fc.domain.account.service.action.accountaddresslinkage.AccountAddressLinkageService.fetchAccountAddressLinkage(AccountAddressLinkageService.java:233) ]]"
| rex field=Message "Caused by:(?<myField>.*)\sat\s"

Also, have you extracted Message field already and ensured that the sample data is being reflected when you use | table Message command? If not change rex to process on _raw instead of Message field i.e. | rex field=_raw "Caused by:(?<myField>.*)\sat\s"

PS: Rex should only be used for testing. You should ideally be creating Field Extractions (better using Splunk's Interactive Field Extraction IFX : http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

olbinado11
New Member

@niketnilay,

| rex field=_raw "Caused by:(?.*)\sat\s" still does not give me the result i need..

however after playing around with what you have shared.. i come up with this...

|rex field=MessageText "\Caused by:(?.*)\s..."

i feel that the above \ before Caused and the ... after \s did the charm.. but no idea how.

I am sorry for asking this but can you explain how it worked?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi olbinado11,
try something like this

Caused by:(?<your_field>.*)\sat\scom.

You can test it at https://regex101.com/r/8BdlXU/1
Bye.
Giuseppe

olbinado11
New Member

|rex field=MessageText "\Caused by:(?.*)\sat\scom."

Unfortunately not working.

0 Karma

gcusello
SplunkTrust
SplunkTrust

strange, in regex101 is working!
https://regex101.com/r/8BdlXU/3

did you tried?

your_search
| rex "(?s)Caused by:(?<rootcause>.*)\sat\scom."
| ...

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...