I need to run a query that matches multiple expressions from JSON data. This is what I tried, but it didn't work:
regex (Primary.stackTrace="java.lang.RuntimeException: Sign in error message." | Primary.stackTrace="java.lang.RuntimeException: Login page failed to load within 45 seconds")
Your regex
command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds")
.
Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ...
.
Your regex
command contains regular expressions that don't match your events. "java.lang.RuntimeException: Sign in error message." expects the word "java" followed by any single character followed by "lang", a character, and the rest of the message. Try escaping periods: regex (Primary.stackTrace="java\.lang\.RuntimeException: Sign in error message" | Primary.stackTrace="java\.lang\.RuntimeException: Login page failed to load within 45 seconds")
.
Better yet, since these strings don't need to be expressions, let Splunk search for them as-is in your base search. Your performance may improve. index=foo ("java.lang.RuntimeException: Sign in error message." OR "java.lang.RuntimeException: Login page failed to load within 45 seconds") | ...
.
The first suggestion did not work either, it returned an error display msg "command not known primary", and the regex command for a single expression does work.
However, the 2nd suggestion did work effectively.
Thank You
Here is an event example to demonstrate. Notice Primary.stackTrace and Secondary1.stackTrace have different values. Only events with testStatus="Failed" can have a stackTrace, and some stackTraces are not one of the regex expressions.
{ [-]
Primary: { [-]
className: com.quantum.Tests
description: Android
device: 988DD2395042313346
executionID: test@test.com_RemoteWebDriver_18-12-23_20_25_23_76623
hostName: ip-10-0-0-8
location: NA-US-BOS
methodName: My Test
methods: { [+]
}
model: Galaxy S8
monitorTag: null
os: Android
reportKey: null
reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76623&_timestamp[0]=1545596723084
stackTrace: java.lang.RuntimeException: Login page failed to load within 45 seconds
at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:781)
at org.testng.TestRunner.run(TestRunner.java:635)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
testExecutionDuration: 224
testExecutionEnd: Dec 23, 2018 8:29:06 PM
testExecutionStart: Dec 23, 2018 8:25:21 PM
testName: HCO Access - device 2
testStatus: Fail
}
Secondary1: { [-]
className: com.quantum.Tests
description: Android
device: 988E16354746385136
executionID: monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624
hostName: ip-10-0-0-8
location: NA-US-BOS
methodName: _CA_HCO_Access
methods: { [+]
}
model: Galaxy S8
monitorTag: null
os: Android
reportKey: null
reportiumReport: https://test.app.test.com/reporting/library?externalId[0]=monitor@test.com_RemoteWebDriver_18-12-23_20_25_23_76624&_timestamp[0]=1545596723084
stackTrace: java.lang.RuntimeException: Sign in error message
at com.quantum.steps._App_Steps.verifySuccessfulLogin(_App_Steps.java:81)
at com.quantum.Tests._CA_HCO_Access(Tests.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:104)
at org.testng.internal.Invoker.invokeMethod(Invoker.java:645)
at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:851)
at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:1177)
at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:129)
at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:112)
at org.testng.TestRunner.privateRun(TestRunner.java:781)
at org.testng.TestRunner.run(TestRunner.java:635)
at org.testng.SuiteRunner.runTest(SuiteRunner.java:387)
at org.testng.SuiteRunner.access$000(SuiteRunner.java:39)
at org.testng.SuiteRunner$SuiteWorker.run(SuiteRunner.java:421)
at org.testng.internal.thread.ThreadUtil$2.call(ThreadUtil.java:64)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
testExecutionDuration: 89
testExecutionEnd: Dec 23, 2018 8:26:51 PM
testExecutionStart: Dec 23, 2018 8:25:21 PM
testName: HCO Access - device 1
testStatus: Fail
}
}
To properly diagnose regex problems, we really need to see some sample events.