- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extraction - Event table only pulling back o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field Extraction - Event table only pulling back one line
Hi All,
I currently am pulling in data from an application and we are looking extract a single line that the event occurs, and put it in an events table for a dashboard. I've tried using rex and regex to no avail. A sample of this data is:
14:51:19.425 MSM:read142-USCN9360: .SocketManager$1: got request SeqNo 452 Agent AMW_PRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .MasterSocketManager$_A: doRun 0 SeqNo 452 Agent AMW_PRD2 Master null service checkNetwork Method checkConnection [USCN9360]
14:51:19.425 MSM2: .CheckNetworkService: USCN9360
14:51:19.425 MSM2: .MasterSocketManager$_A: doRun done 0 SeqNo 452 Agent AMW_PRD2 Master null service checkN
14:51:19.613 CR:read122-/172.20.240.32:63509: .SocketManager$1: got request SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpLi
stDirectory, [Ljava.lang.Object;@1367476]
14:51:19.613 CR1: .D$_A: doRun 0 SeqNo 5005 Agent 172.30.106.172:1099 Master Client service clientServices sessionID 287 Method invokeAgent [FTP, FTP, ftpListDirectory, [Ljava.lang.Obje
14:51:19.613 CR1 172.20.240.32:63509: .C: invoke invokeAgent com.appworx.server.data.AxRmiServer /172.20.240.32:63509
14:51:19.613 CR1 172.20.240.32:63509: .MasterSocketManager: sendRequest 172.30.118.41:55895 SeqNo 265838 Agent FTP Master AMW_PRD2 service FTP Method ftpListDirectory [{CONNECTION_NAME=Ftp@Jde-apx511
}, /apps/jdeasq03/uc4]
14:51:19.629 MSM:read61-JDEASP05: .SocketManager$1: got request 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.Ru
ntimeException
14:51:19.629 MSM6: .MasterSocketManager$_A: doRun 0 265838 null null Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeExcepti
on
14:51:19.629 MSM6: .MasterSocketManager$_A: doRun done 0 265838 null null Agent error : FTP:ftpListDirectory
14:51:19.629 CR1 172.20.240.32:63509: AwE-5128
ErrorMsg: AwE-5128 Client Request Error (3/5/19 2:51 PM)
Details: invokeAgent
Agent error : FTP:ftpListDirectory : Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.AgentService.invoke(AgentService.java:1335)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
... 3 more
Caused by: java.lang.RuntimeException
... 5 more
AwE-5128 Client Request Error
Directory /apps/jdeasq03/uc4 does not exist.
Client Request Error : Directory /apps/jdeasq03/uc4 does not exist. : java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
Caused by: java.lang.RuntimeException
... 5 more
java.lang.RuntimeException
at com.appworx.agent.extensibleagent.A.invoke(GenericExtensibleAgent.java:298)
at com.appworx.agent.AgentService.invoke(AgentService.java:1296)
at com.appworx.agent.AgentSocketManager$_A.doRun(AgentSocketManager.java:462)
at com.uc4.be.threading.AbstractWorker.run(AbstractWorker.java:367)
at java.lang.Thread.run(Thread.java:736)
I've tried using the built-in regex and writing my own.
Am I missing something with this scenario? We would only want to pull back the ErrorMsg line of the event into a panel.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You showed us the event(s) but did not say what pieces you need captured. Also, I assume that your sample is showing multiple events, each one starting with the timestamp, not one huge multi-line event, right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you share what regex you tried ? and what exactly you are trying to extract from the sample data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your regex looking like?
Already tried something like:
your base search |rex (?<error_message>ErrorMsg:[^\n]+)
If this captures too much, you can try ?
your base search |rex (?<error_message>ErrorMsg:[^)]+)
Afterwards you sould have a new field called error_message you can can work with.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
