Re: Splunking a .NET stack trace

rlourenco · ‎11-27-2011

Hi,

I'm trying to use splunk to analyse aplicational errors from an ASP.NET application, we are getting about a thousand/week.
I have been able to extract the field "Error Message", which identifies each type of error, now I am drilling down and parsing each error type independently. However, all errors contain two stack traces and I need to identify the failing component.
I would like to be able to split my event so that each line in the stack trace section can be filtered individually, in order to filter the aplicational components from the system ones.

Can someone give me a hint on how to do this?

Thanks,

Rui

--------------------- The following is an example of the event:

","wuPAS@xxxxxx.com","wuPAS@xxxxxx.com","SMTP","xxxxxx@xxxxxx.com;server errors","xxxxxx@xxxxxx.com;/O=xxxxxx/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=Server errors","SMTP;EX",,,,,,,,,"Normal",,"Normal"
"xxxxxx.local has recieved the Event of Concern","ComputerName=xxxxxx User=Not specified Logfile=Application Type=Error EventType=1 SourceName=xxxxxx Category=0 CategoryString=Not specified EventCode=0 EventID=0 TimeGenerated=20111124133152.000000-300 TimeWritten=20111124133152.000000-300 Message=====================

Application Error On: 24/11/2011 1:31:52 PM
Error ID: 20111124133152964112xxxxxx
Error Message: Object reference not set to an instance of an object. 

Exception Type: System.Web.HttpUnhandledException
Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.    
Stack Trace:    at System.Web.UI.Page.HandleError(Exception e)
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
     at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
     at System.Web.UI.Page.ProcessRequest()
     at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
     at System.Web.UI.Page.ProcessRequest(HttpContext context)
     at ASP.applicant_attsearch_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\7f1abafc\b8cd4f32\App_Web_nn9segcm.8.cs:line 0
     at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Exception Type: System.NullReferenceException
Message: Object reference not set to an instance of an object.
Stack Trace:    at _AppAttSearch.BuildSearchParameters() in e:\wwwroot\xxxxxx\Applicant\AttSearch.aspx.cs:line 201
    at _AppAttSearch.btnSearch_ServerClick(Object sender, EventArgs e) in e:\wwwroot\xxxxxx\Applicant\AttSearch.aspx.cs:line 170
    at System.Web.UI.HtmlControls.HtmlInputButton.OnServerClick(EventArgs e)
    at System.Web.UI.HtmlControls.HtmlInputButton.RaisePostBackEvent(String eventArgument)
    at System.Web.UI.HtmlControls.HtmlInputButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
    at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
    at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

====================

dominiquevocat · ‎09-16-2015

Would something like this help?

(?m-s)\n(?<exception>.+?[a-z.]Exception)

Splunking a .NET stack trace

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...