- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with REGEX to create field extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking to find this value for "java.net.SocketException" and populate a new field in Splunk's interesting fields. Getting better at regex but still missing the final pieces to make this work. How to i take the string "Too many open files" and create a new interesting field named "SocketException". Could have many different values. There is also a character return after this line, so I need the value after the colon and space, to the end of the line. Should be "Too many open files" in this example
EXAMPLE OF LOG
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.SocketException: Too many open files
at java.net.Socket.createImpl(Socket.java:460)
WHAT I HAVE SO FAR:
>regex: java\.net\.SocketException:\s
Thanks so much! - Joe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Joe,
Give this regex a try for me:
java\.net\.SocketException\:\s(?<SocketException>[^\n]+)
In order to capture everything until the newline, we're using something called a negated character set. If you're curious about how it works, check this link out - https://www.regular-expressions.info/charclass.html
Let me know if this extraction doesn't work for you and I'll try to help fix it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Joe,
Give this regex a try for me:
java\.net\.SocketException\:\s(?<SocketException>[^\n]+)
In order to capture everything until the newline, we're using something called a negated character set. If you're curious about how it works, check this link out - https://www.regular-expressions.info/charclass.html
Let me know if this extraction doesn't work for you and I'll try to help fix it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked perfectly! Thanks so much for the help, and the link. I will definitely check this out. Regex skills definitely need to be improved, but this is awesome!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
