Solved: I can't capture an unrecognized field with a space

dbaker42 · ‎03-15-2013

I'm running the following command:
host=Computername AND EventCode=1309 | rename "Exception message" as Exception_message | dedup Application_Path | table Application_Path Exception_message

But it still won't recognize Exception message. If I expand the results, here is a snippet of the returned data:

Exception information: Exception type: HttpException Exception message: Server cannot set status after HTTP headers have been sent.

I'd like to create a table showing the Application Path and the Exception message, but I can't get it to recognize my field. Help! Thanks in advance.

alacercogitatus · ‎03-15-2013

Looks like this is a windows log file. Try this:

host=Computername EventCode=1309 | rex field=_raw "Exception message:(?<exception_message>[^\r\n]*)"| dedup Application_Path| table Application_Path exception_message

View solution in original post

alacercogitatus · ‎03-15-2013

Looks like this is a windows log file. Try this:

host=Computername EventCode=1309 | rex field=_raw "Exception message:(?<exception_message>[^\r\n]*)"| dedup Application_Path| table Application_Path exception_message

alacercogitatus · ‎03-15-2013

Glad it worked for you, please accept the answer if it worked for you.

dbaker42 · ‎03-15-2013

Brilliant! That worked perfectly. Thanks!

bmacias84 · ‎03-15-2013

I am assuming you already have a field extraction or transform for this sourcetype and all the fields you are referencing?

I can't capture an unrecognized field with a space

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!