- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I match multiple regex expressions?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to run a query that matches multiple expressions from JSON data. This is what I tried, but it didn't work:
regex (Primary.stackTrace="java.lang.RuntimeException: Sign in error message." | Primary.stackTrace="java.lang.RuntimeException: Login page failed to load within 45 seconds")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").
Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your regex command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds").
Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ....
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first suggestion did not work either, it returned an error display msg "command not known primary", and the regex command for a single expression does work.
However, the 2nd suggestion did work effectively.
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is an event example to demonstrate. Notice Primary.stackTrace and Secondary1.stackTrace have different values. Only events with testStatus="Failed" can have a stackTrace, and some stackTraces are not one of the regex expressions.
{ [-]
Primary: { [-]
className: com.quantum.Tests
description: Android
device: 988DD2395042313346
executionID: test@test.com_RemoteWebDriver_18-12-23_20_25_23_76623
hostName: ip-10-0-0-8
location: NA-US-BOS
methodName: My Test
methods: { [+]
}
model: Galaxy S8
monitorTag: null
os: Android
reportKey: null
reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76623&_timestamp[0]=1545596723084
stackTrace: java.lang.RuntimeException: Login page failed to load within 45 seconds
at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:781)
at org.testng.TestRunner.run(TestRunner.java:635)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
testExecutionDuration: 224
testExecutionEnd: Dec 23, 2018 8:29:06 PM
testExecutionStart: Dec 23, 2018 8:25:21 PM
testName: HCO Access - device 2
testStatus: Fail
}
Secondary1: { [-]
className: com.quantum.Tests
description: Android
device: 988E16354746385136
executionID: monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624
hostName: ip-10-0-0-8
location: NA-US-BOS
methodName: _CA_HCO_Access
methods: { [+]
}
model: Galaxy S8
monitorTag: null
os: Android
reportKey: null
reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624&_timestamp[0]=1545596723084
stackTrace: java.lang.RuntimeException: Sign in error message
at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:781)
at org.testng.TestRunner.run(TestRunner.java:635)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
testExecutionDuration: 89
testExecutionEnd: Dec 23, 2018 8:26:51 PM
testExecutionStart: Dec 23, 2018 8:25:21 PM
testName: HCO Access - device 1
testStatus: Fail
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To properly diagnose regex problems, we really need to see some sample events.
If this reply helps you, Karma would be appreciated.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
