MessageText=
[2017-07-25T16:29:01.694+10:00]...XXXXXXXXXXXXXXXXXXXXXXXXXX at com.ofss.fc.app.Interaction.analyzeAndThrowException(Interaction.java:1349) Caused by: com.ofss.fc.framework.exception.BusinessException: No address linkage is maintained for Account ID: 74XX15140985.** at com.ofss.fc.domain.account.service.action.accountaddresslinkage.AccountAddressLinkageService.fetchAccountAddressLinkage(AccountAddressLinkageService.java:233) ]]
My goal is to create a new field, "rootcause" where it starts after the string "Caused by: " and ends before the string "at com." I figured rex command will do the trick? I tried field extractor but my searches returns to "no results found".
Hi olbinado11,
try something like this
Caused by:(?<your_field>.*)\sat\scom.
You can test it at https://regex101.com/r/8BdlXU/1
Bye.
Giuseppe
@olbinado11, post your data and current rex command using the code button so that special characters do not escape/get omitted in the post.
In case your event has new line character after each line you will have to use (?s) in the rex command so that DOT (.) matches newline characters as well i.e. | rex field=Message "(?s)Caused by:(?<myField>.*)\sat\s"
| makeresults
| eval Message="[2017-07-25T16:29:01.694+10:00]...XXXXXXXXXXXXXXXXXXXXXXXXXX at com.ofss.fc.app.Interaction.analyzeAndThrowException(Interaction.java:1349) **Caused by: com.ofss.fc.framework.exception.BusinessException: No address linkage is maintained for Account ID: 74XX15*140985.* at com.ofss.fc.domain.account.service.action.accountaddresslinkage.AccountAddressLinkageService.fetchAccountAddressLinkage(AccountAddressLinkageService.java:233) ]]"
| rex field=Message "Caused by:(?<myField>.*)\sat\s"
Also, have you extracted Message field already and ensured that the sample data is being reflected when you use | table Message
command? If not change rex to process on _raw instead of Message field i.e. | rex field=_raw "Caused by:(?<myField>.*)\sat\s"
PS: Rex should only be used for testing. You should ideally be creating Field Extractions (better using Splunk's Interactive Field Extraction IFX : http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX)
@niketnilay,
| rex field=_raw "Caused by:(?.*)\sat\s" still does not give me the result i need..
however after playing around with what you have shared.. i come up with this...
|rex field=MessageText "\Caused by:(?.*)\s..."
i feel that the above \ before Caused and the ... after \s did the charm.. but no idea how.
I am sorry for asking this but can you explain how it worked?
Hi olbinado11,
try something like this
Caused by:(?<your_field>.*)\sat\scom.
You can test it at https://regex101.com/r/8BdlXU/1
Bye.
Giuseppe
|rex field=MessageText "\Caused by:(?.*)\sat\scom."
Unfortunately not working.
strange, in regex101 is working!
https://regex101.com/r/8BdlXU/3
did you tried?
your_search
| rex "(?s)Caused by:(?<rootcause>.*)\sat\scom."
| ...
Bye.
Giuseppe