Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When trying to return different error messages with one saved search/alert, how do I combine 2 searches where one uses regex(OR is not allowed)?

cmahan
Path Finder
‎09-28-2018 12:39 PM

I am trying to return several different error messages with one saved search / alert.

I can get all of them individually and I can get 3 of the 4 together, but when I try to add the one that uses a regex, it wants to apply the regex to everything or ignore it depending on the order.

The regex is being used because one of the errors is distinguished by having nothing after the string "java.lang.NullPointerException" while one of the others does have more after that string. I can't seem to use append or join or OR. I got it to at least not error using OR by putting brackets, but the results did not show as expected.

I'm sure there is a better way to do this?

index=prod source="/ep/logs/ep-cortex.log" sourcetype=c2b:cortex  "java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
    at java.util.ArrayList.rangeCheck(ArrayList.java:653)
    at java.util.ArrayList.get(ArrayList.java:429)
    at com.elasticpath.extensions.rest.resource.impl.EstimateCartsResourceOperatorImpl.createCartEstimate(EstimateCartsResourceOperatorImpl.java" 
OR "java.lang.NullPointerException
    at com.elasticpath.extensions.domain.shoppingcart.impl.AbstractQuantityPriceCalculatorImpl.roundAmountBasedOnTaxType(AbstractQuantityPriceCalculatorImpl.java" 
OR "com.elasticpath.extensions.ws.service.WebServiceUtil - Errors returned from Tibco. Context: get customer match, Errors: [Arithmetic overflow error for data type tinyint, value =" OR [search sourcetype=c2b:cortex "java.lang.NullPointerException" |regex _raw="java.lang.NullPointerException$"]
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-29-2018 03:17 AM

Hi cmahan,
at first I don't like to have a multi line string, maybe it's better to have more separated strings to have more possibilities to have results.

in addition, at the end of a subsearch you need to have the fields or the table commands to declare which are the fields used to search otherwise the subsearch returns all the fields that will be used in the search and usually hasn't results.

In addition I don't like to not declare index in subsearch. if runs is slower!

About the regex identify a minor regex e.g. the following

| regex "java.lang.NullPointerException\s+at\s+com\."

Bye.
Giuseppe

0 Karma
Reply

reed_kelly
Contributor
‎09-28-2018 01:17 PM

Is it just an issue with your regex command? To do multi-line regex, you may have to add (?s) or (?m) to the beginning of the expression.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...