Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do newline splitting for a single event

sumitnagal
Path Finder
‎09-12-2012 05:58 PM

Hi,
I want to identified the exception caused by my API to the external API. here is example, I am looking for below output

14 Jun 2012 07:38:55,280 [ABCD] ERROR my.classname (46) - The exception value: An error occurred while processing the request on the server: System.Runtime.Remoting.RemotingException: Server is busy. Try request again later.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:188)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:130)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy207.retrieveDeploymentById(Unknown Source)
at com.test.abc.my(classname:46)

I am looking for below output

14 Jun 2012 07:38:55  my.class 46  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException System.Runtime.Remoting.RemotingException

I am trying below query, but not sure how can do line breaking after getting value.

search | rex "(?i)^(?P<DATEFIELD>[^,]+),\\d+\\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+)\(\d+\)\\s-\\s(?P<FIELDNAME2>[^-]+)" | rex "(?i)\tat (?P<FIELDNAME3>[^\(]+)"

Thanks,
Sumit

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException

View solution in original post

Reply
Solved! Jump to solution

sumitnagal
Path Finder
‎10-07-2013 02:48 AM

This is very close to what I am looking, but I can't use FIELDNAME as it may have few lines or may have too many lines. I have to parse all the lines, please suggest how do I get specific liie , com.test.abc.my from the list of stack trace.

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 03:09 AM

Like this :

... | rex "(?si)^(?P<DATEFIELD>[^,]+),\d+\s+\[(?P<FIELDNAME>[^ ]+)\] (?P<LOGTYPE>(INFO|ERROR|DEBUG)) (?P<CALLNAME>[^ ]+) \((?P<FIELDNAME2>\d+)\).*?:.*?:\s+(?P<FIELDNAME3>[^:]+).*?[\r\n]+\s*at\s+(?P<FIELDNAME4>[^\(]+)" 
| table DATEFIELD FIELDNAME LOGTYPE CALLNAME FIELDNAME2 FIELDNAME3 FIELDNAME4

The 's' in (?si) means treat \n as a character, not a line break.

This returns :

DATEFIELD   14 Jun 2012 07:38:55
FIELDNAME   ABCD
LOGTYPE     ERROR
CALLNAME    my.classname
FIELDNAME2  46
FIELDNAME3  System.Runtime.Remoting.RemotingException
FIELDNAME4  com.sun.xml.ws.fault.SOAP11Fault.getProtocolException
Reply
Solved! Jump to solution

wjblazek
Explorer
‎10-28-2014 04:23 PM

Yes Thanks!

The "[\r\n]" was the key I needed to search across line breaks:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?si)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Also (?m) seems to work like (?si) to tell rex to work across multiple lines:

| rex field=_raw "\[(?P<field1>...)\-(?P<field2>...)\-(?P<field3>...).*\]" | rex field=_raw "(?m)\s+\-\s+Caught\s+(?P<field4>...):\s+(?P<field5>...).*[\r\n](?P<field6>...):\s(?P<field7>...)" | stats count(field2) by field2,field3,field4,field5,field6,field7

Is there any significant difference between (?m) and (?si) ?

Is this documented anywhere?

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎10-31-2014 04:33 PM

pcre modifiers - http://php.net/manual/en/reference.pcre.pattern.modifiers.php

0 Karma
Reply
Solved! Jump to solution

johnnyzebra
Engager
‎07-07-2014 04:16 PM

Thanks!
This helped me resolve an issue where a rex I used in my search would not work when I did it as a field extraction. (grabbing everything up to the end of the line) It seems as if the field extraction was applying the si, so my \n wouldn't work.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...