Splunk Search

Extract Text from logs

ppanchal
Path Finder

Below is my log,

CustomItemContainerGenerator.GenerateNextLocalContainer: Node is not the current one. in Xceed.Wpf.DataGrid.v4.5
Stack trace:
at Xceed.Wpf.DataGrid.CustomItemContainerGenerator.GenerateNextLocalContainer(Boolean& isNewlyRealized)
at Xceed.Wpf.DataGrid.CustomItemContainerGenerator.System.Windows.Controls.Primitives.IItemContainerGenerator.GenerateNext(Boolean& isNewlyRealized)
at Xceed.Wpf.DataGrid.Views.TableflowViewItemsHost.GenerateContainer(ICustomItemContainerGenerator generator, Int32 index, Boolean measureInvalidated, Boolean delayDataContext)
at Xceed.Wpf.DataGrid.Views.TableflowViewItemsHost.GenerateContainers(I

How can I extract only 'Node is not the current one' from the log and display?

0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

If you only want to extract that exact text, than:

 (?P<myfield>Node is not the current one\.)
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Is that all you want to extract, or is there something associated with that string that you want to extract? If all you want to do is display that one field, there seem to be many better ways of doing that. What are you going to do with that information from the events? If all you want to do is count the number of events that contain that, then you don't have to extract that data, just search for it and do a stats count on the results. So I'm not sure what you need from such an extraction. Please help me understand.

0 Karma

ppanchal
Path Finder

So I have similar such errors in my logs and I want to extract them and display only the unique ones with only the error message and nothing else. stats count does not help me here.

0 Karma

sowings
Splunk Employee
Splunk Employee

Time to learn some regex!

0 Karma

ppanchal
Path Finder

Can you help me with the regex?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Probably, but what is the point of extracting a constant text value. You don't need regex to do that. If you want to extract the message that comes after the colon to the first period, then use:

... | rex "^\S+:\s*(?P<mess>[^.]+)"
0 Karma

ppanchal
Path Finder

This did not help.
It gives me the output from starting of the log to the first period and not from the colon to first period.

Please help.

0 Karma

alemarzu
Motivator

Hi there @ppanchal

What about this one ... | rex ":\s(?<text>[\w\s]+)\.\s" | stats count by text

0 Karma

ppanchal
Path Finder

Thanks that worked.

One more question,

How can I extract 'An entry with the same key already exists' from the below phrase,

423160139776 An entry with the same key already exists. in System Stack trace

0 Karma

alemarzu
Motivator

This one should work for both cases.

... | rex "(?:\s|\d+\s)(?<text>[\w\s]+)\.\s" | stats count by text

Hope it helps.

Remember to accept an answer to help future readers find the solution.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...