Splunk Search

When trying to return different error messages with one saved search/alert, how do I combine 2 searches where one uses regex(OR is not allowed)?

cmahan
Path Finder

I am trying to return several different error messages with one saved search / alert.

I can get all of them individually and I can get 3 of the 4 together, but when I try to add the one that uses a regex, it wants to apply the regex to everything or ignore it depending on the order.

The regex is being used because one of the errors is distinguished by having nothing after the string "java.lang.NullPointerException" while one of the others does have more after that string. I can't seem to use append or join or OR. I got it to at least not error using OR by putting brackets, but the results did not show as expected.

I'm sure there is a better way to do this?

index=prod source="/ep/logs/ep-cortex.log" sourcetype=c2b:cortex  "java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
    at java.util.ArrayList.rangeCheck(ArrayList.java:653)
    at java.util.ArrayList.get(ArrayList.java:429)
    at com.elasticpath.extensions.rest.resource.impl.EstimateCartsResourceOperatorImpl.createCartEstimate(EstimateCartsResourceOperatorImpl.java" 
OR "java.lang.NullPointerException
    at com.elasticpath.extensions.domain.shoppingcart.impl.AbstractQuantityPriceCalculatorImpl.roundAmountBasedOnTaxType(AbstractQuantityPriceCalculatorImpl.java" 
OR "com.elasticpath.extensions.ws.service.WebServiceUtil - Errors returned from Tibco. Context: get customer match, Errors: [Arithmetic overflow error for data type tinyint, value =" OR [search sourcetype=c2b:cortex "java.lang.NullPointerException" |regex _raw="java.lang.NullPointerException$"]
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi cmahan,
at first I don't like to have a multi line string, maybe it's better to have more separated strings to have more possibilities to have results.

in addition, at the end of a subsearch you need to have the fields or the table commands to declare which are the fields used to search otherwise the subsearch returns all the fields that will be used in the search and usually hasn't results.

In addition I don't like to not declare index in subsearch. if runs is slower!

About the regex identify a minor regex e.g. the following

| regex "java.lang.NullPointerException\s+at\s+com\."

Bye.
Giuseppe

0 Karma

reed_kelly
Contributor

Is it just an issue with your regex command? To do multi-line regex, you may have to add (?s) or (?m) to the beginning of the expression.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...