Solved: Re: Creating a new field from a default field

olbinado11 · ‎07-25-2017

MessageText=
[2017-07-25T16:29:01.694+10:00]...XXXXXXXXXXXXXXXXXXXXXXXXXX at com.ofss.fc.app.Interaction.analyzeAndThrowException(Interaction.java:1349) Caused by: com.ofss.fc.framework.exception.BusinessException: No address linkage is maintained for Account ID: 74XX15140985.** at com.ofss.fc.domain.account.service.action.accountaddresslinkage.AccountAddressLinkageService.fetchAccountAddressLinkage(AccountAddressLinkageService.java:233) ]]

My goal is to create a new field, "rootcause" where it starts after the string "Caused by: " and ends before the string "at com." I figured rex command will do the trick? I tried field extractor but my searches returns to "no results found".

gcusello · ‎07-25-2017

Hi olbinado11,
try something like this

Caused by:(?<your_field>.*)\sat\scom.

You can test it at https://regex101.com/r/8BdlXU/1
Bye.
Giuseppe

View solution in original post

niketn · ‎07-25-2017

@olbinado11, post your data and current rex command using the code button so that special characters do not escape/get omitted in the post.

In case your event has new line character after each line you will have to use (?s) in the rex command so that DOT (.) matches newline characters as well i.e. | rex field=Message "(?s)Caused by:(?<myField>.*)\sat\s"

| makeresults
| eval Message="[2017-07-25T16:29:01.694+10:00]...XXXXXXXXXXXXXXXXXXXXXXXXXX at com.ofss.fc.app.Interaction.analyzeAndThrowException(Interaction.java:1349) **Caused by: com.ofss.fc.framework.exception.BusinessException: No address linkage is maintained for Account ID: 74XX15*140985.* at com.ofss.fc.domain.account.service.action.accountaddresslinkage.AccountAddressLinkageService.fetchAccountAddressLinkage(AccountAddressLinkageService.java:233) ]]"
| rex field=Message "Caused by:(?<myField>.*)\sat\s"

Also, have you extracted Message field already and ensured that the sample data is being reflected when you use | table Message command? If not change rex to process on _raw instead of Message field i.e. | rex field=_raw "Caused by:(?<myField>.*)\sat\s"

PS: Rex should only be used for testing. You should ideally be creating Field Extractions (better using Splunk's Interactive Field Extraction IFX : http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

olbinado11 · ‎07-26-2017

@niketnilay,

| rex field=_raw "Caused by:(?.*)\sat\s" still does not give me the result i need..

however after playing around with what you have shared.. i come up with this...

|rex field=MessageText "\Caused by:(?.*)\s..."

i feel that the above \ before Caused and the ... after \s did the charm.. but no idea how.

I am sorry for asking this but can you explain how it worked?

gcusello · ‎07-25-2017

Hi olbinado11,
try something like this

Caused by:(?<your_field>.*)\sat\scom.

You can test it at https://regex101.com/r/8BdlXU/1
Bye.
Giuseppe

olbinado11 · ‎07-25-2017

|rex field=MessageText "\Caused by:(?.*)\sat\scom."

Unfortunately not working.

gcusello · ‎07-26-2017

strange, in regex101 is working!
https://regex101.com/r/8BdlXU/3

did you tried?

your_search
| rex "(?s)Caused by:(?<rootcause>.*)\sat\scom."
| ...

Bye.
Giuseppe

Creating a new field from a default field

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio