Splunk Search

How to parse an event and get a table

sangs8788
Communicator

I have an error event in this format indexed in Splunk.

Error for batch element #1: One or more values in the INSERT statement, UPDATE statement, or foreign key update caused by a DELETE statement are not valid because the primary key, unique constraint or unique index identified by "2" constrains table "TABLE_NAME" from having duplicate values for the index key.. SQLCODE=-803, SQLSTATE=23505, DRIVER=4.11.77

How do I extract the TABLE_NAME out of this event?

Thanks

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

In your Search command in SPL:

... | rex "constrains table \"(?P<tablename>[^\"]*)\""

View solution in original post

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

In your Search command in SPL:

... | rex "constrains table \"(?P<tablename>[^\"]*)\""
0 Karma

sangs8788
Communicator

Thanks. it worked.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...