Hello All,
I am beginner of Splunk.
I have a requirement like "we are having multiple applications in our system. When ever we see any errors transactions for any of the application. I have to fetch application name and error message into two different fields so that I can display it in table format."
Could you please let me know how to fetch entire error message into a single field. Error message will not be same.
Example Log: 2017:12:25:45 AAA(application name) - timeout error (error message)
2017:12:25:49 BBB(application name) - Please enter correct details (error message)
2017:12:25:45 AAA(application name) - No data found (error message)
Thanks,
You can do in the search with rex:
| rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | table appName errorMessage
Or you can do so via props.conf on the search heads:
[sourcetypeName]
EXTRACT-appNameErrorMessage = \((?<appName>.*)\).+\((?<errorMessage>.*)\)
Do i need to pass explicitly appName and errormessage. Is it not possible to get from events. Because we are having different types of error messages for the same application.
That will be the field name that contains a value that IS your application name or error message.
You can change it to whatever you want your field names to be:
Run it against your data and look at the interesting fields on the left side of your screen.
| rex "\((?<field1>.*)\).+\((?<field2>.*)\)" | table field1 field
The above would creat two fields, field1 and field2. Field1 would be your application names and field2 would be your error messages.
Now you can have fun with your new fields.
| rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | stats values(errorMessage) by appName
| rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | stats count by errorMessage, appName
Etc
If you're saying AAA is the app name and "timeout error" is the error message then this could be your regex:
\d{4}:\d\d:\d\d:\d\d\s+(?<application>.*)\s-\s(?<error>.*)
You can do that using a rex
command
your search
| rex field=<your field> "\d+:\d+:\d+:\d+ (?P<triplet>.+)\((?P<app>.+)\) - (?P<error>.+) \((?P<message>.*)\)$"
This will add the triplet
field which corresponds to AAA or BBB in your example, app
field that contains your "application name", error
which will contain messages such as "No data found" and finally message
that will contain the error message.