Splunk Search

How can I create a field for error messages?

123Janardhan
New Member

Hello All,

I am beginner of Splunk.

I have a requirement like "we are having multiple applications in our system. When ever we see any errors transactions for any of the application. I have to fetch application name and error message into two different fields so that I can display it in table format."

Could you please let me know how to fetch entire error message into a single field. Error message will not be same.

Example Log: 2017:12:25:45 AAA(application name) - timeout error (error message)
2017:12:25:49 BBB(application name) - Please enter correct details (error message)
2017:12:25:45 AAA(application name) - No data found (error message)
Thanks,

0 Karma

jkat54
SplunkTrust
SplunkTrust

You can do in the search with rex:

| rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | table appName errorMessage

Or you can do so via props.conf on the search heads:

[sourcetypeName]
EXTRACT-appNameErrorMessage = \((?<appName>.*)\).+\((?<errorMessage>.*)\)

123Janardhan
New Member

Do i need to pass explicitly appName and errormessage. Is it not possible to get from events. Because we are having different types of error messages for the same application.

0 Karma

jkat54
SplunkTrust
SplunkTrust

That will be the field name that contains a value that IS your application name or error message.

You can change it to whatever you want your field names to be:

Run it against your data and look at the interesting fields on the left side of your screen.

0 Karma

jkat54
SplunkTrust
SplunkTrust
 | rex "\((?<field1>.*)\).+\((?<field2>.*)\)" | table field1 field

The above would creat two fields, field1 and field2. Field1 would be your application names and field2 would be your error messages.

Now you can have fun with your new fields.

| rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | stats values(errorMessage) by appName

 | rex "\((?<appName>.*)\).+\((?<errorMessage>.*)\)" | stats count by errorMessage, appName

Etc

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you're saying AAA is the app name and "timeout error" is the error message then this could be your regex:

\d{4}:\d\d:\d\d:\d\d\s+(?<application>.*)\s-\s(?<error>.*)
0 Karma

fbehe
Explorer

You can do that using a rex command

your search
| rex field=<your field> "\d+:\d+:\d+:\d+ (?P<triplet>.+)\((?P<app>.+)\) - (?P<error>.+) \((?P<message>.*)\)$"

This will add the triplet field which corresponds to AAA or BBB in your example, app field that contains your "application name", error which will contain messages such as "No data found" and finally message that will contain the error message.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...