When applying a table view to my search, the Java ...

ayousseff · ‎06-02-2017

Hi,

i have the below json object that is being returned when applying my search:

index="devops" sourcetype="_json"  source="*" priority="ERROR"

the output looks very nice when applying the LIST view, but when i switch into table view, the java exception looks bad and not visible at all. i tried to apply spath on the search to extract just the message with a proper java stack format with no success.
would anyone please help me?

{   [-] 
             className:  controlpanel.visitor.agents.CommandAgentDetailsCollector   
             date:   2017-06-02T13:06:41.805Z   
             message:    Failed to fetch installed packagesjava.lang.Exception: Problem backing up O:\mx_ox14270_85161\.ci\MX_III\wizardconfig-mxClient.xml to O:\mx_ox14270_85161\.ci\MX_III\backup_1891044466339645987.xml
        java.lang.Exception: Problem backing up O:\mx_ox14270_85161\.ci\MX_III\wizardconfig-mxClient.xml to O:\mx_ox14270_85161\.ci\MX_III\backup_1891044466339645987.xml
            at test.application.cc.wizardsync.Synchronizer.write(Synchronizer.java:101)
            at test.application.cc.wizardsync.Synchronizer.sync(Synchronizer.java:66)
            at test.application.cc.deploy.helper.DefaultDeployerHelper.syncWizardConfigs(DefaultDeployerHelper.java:91)
            at test.application.cc.deploy.DefaultDeployer.getInstalledWizardConfig(DefaultDeployer.java:624)
            at test.application.cc.deploy.DefaultDeployer.getInstalledPackages(DefaultDeployer.java:173)
            at test.application.cc.deploy.DefaultDeployer.getInstalledPackages(DefaultDeployer.java:162)
            at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
            at java.lang.reflect.Method.invoke(Unknown Source)
            at test.middleware.remoting.connection.ConnectionTransportDispatcher.invokeMethod(ConnectionTransportDispatcher.java:146)
            at test.middleware.remoting.connection.ConnectionTransportDispatcher.dispatch(ConnectionTransportDispatcher.java:72)
            at test.middleware.remoting.transport.ChannelConnection$2.call(ChannelConnection.java:324)
            at test.middleware.remoting.transport.ChannelConnection$2.call(ChannelConnection.java:310)
            at java.util.concurrent.FutureTask.run(Unknown Source)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
            at java.lang.Thread.run(Unknown Source)
            at test.middleware.remoting.connection.Invoker.invoke(Invoker.java:150)
            at test.middleware.remoting.connection.ObjectHandler.invoke(ObjectHandler.java:81)
            at com.sun.proxy.$Proxy141.getInstalledPackages(Unknown Source)
            at test.application.cc.helper.controlpanel.visitor.agents.CommandAgentDetailsCollector.fillAgents(CommandAgentDetailsCollector.java:181)
            at test.application.cc.helper.controlpanel.visitor.agents.CommandAgentDetailsCollector.access$100(CommandAgentDetailsCollector.java:55)
            at test.application.cc.helper.controlpanel.visitor.agents.CommandAgentDetailsCollector$1.run(CommandAgentDetailsCollector.java:126)
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
            at java.util.concurrent.FutureTask.run(FutureTask.java:266)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            at java.lang.Thread.run(Thread.java:745)

             priority:   ERROR  
             thread:     pool-5-thread-33   
}

ayousseff · ‎06-07-2017

Hi,
i applied this but i still get the below output when i switch to table view which is not visible like the list view
index="devops" sourcetype="_json" priority=ERROR | head 1 | rex "(?m)(?java.lang.Exception:.)$" | rex "(?m)(?at\s[^)])$)" max_match=0

Failed to fetch installed packagesjava.lang.Exception: Problem backing up O:\mx_ox14270_85161.ci\MX_III\wizardconfig-mxClient.xml to O:\mx_ox14270_85161.ci\MX_III\backup_640174093285038704.xml java.lang.Exception: Problem backing up O:\mx_ox14270_85161.ci\MX_III\wizardconfig-mxClient.xml to O:\mx_ox14270_85161.ci\MX_III\backup_640174093285038704.xml at test.application.cis.wizardsync.Synchronizer.write(Synchronizer.java:101) at test.application.cis.wizardsync.Synchronizer.sync(Synchronizer.java:66) at test.application.cis.deploy.helper.DefaultDeployerHelper.syncWizardConfigs(DefaultDeployerHelper.java:91) at test.application.cis.deploy.DefaultDeployer.getInstalledWizardConfig(DefaultDeployer.java:624) at test.application.cis.deploy.DefaultDeployer.getInstalledPackages(DefaultDeployer.java:173) at test.application.cis.deploy.DefaultDeployer.getInstalledPackages(DefaultDeployer.java:162) at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at test.middleware.remoting.connection.ConnectionTransportDispatcher.invokeMethod(ConnectionTransportDispatcher.java:146) at test.middleware.remoting.connection.ConnectionTransportDispatcher.dispatch(ConnectionTransportDispatcher.java:72) at test.middleware.remoting.transport.ChannelConnection$2.call(ChannelConnection.java:324) at test.middleware.remoting.transport.ChannelConnection$2.call(ChannelConnection.java:310) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at test.middleware.remoting.connection.Invoker.invoke(Invoker.java:150) at test.middleware.remoting.connection.ObjectHandler.invoke(ObjectHandler.java:81) at com.sun.proxy.$Proxy141.getInstalledPackages(Unknown Source) at test.application.cis.helper.controlpanel.visitor.agents.CommandAgentDetailsCollector.fillAgents(CommandAgentDetailsCollector.java:181) at test.application.cis.helper.controlpanel.visitor.agents.CommandAgentDetailsCollector.access$100(CommandAgentDetailsCollector.java:55) at test.application.cis.helper.controlpanel.visitor.agents.CommandAgentDetailsCollector$1.run(CommandAgentDetailsCollector.java:126) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

DalJeanis · ‎06-04-2017

Here's a couple of rexes you can try, just treating the input as text and pulling out what you want. I'm assuming the json qualifies for multi-line treatment, thus the (?m) flag on the regex and the $ anchor for end of line.

 index="devops" sourcetype="_json"  source="*" priority="ERROR" 
| head 1 
| rex "(?m)(?<exception>java\.lang\.Exception:.*)$" 
| rex "(?m)(?<chunk>at\s[^\)]*\)$)" max_match=0

I'm also assuming that all the stack steps will start with the word "at". If they might also start with the word "foo", then do something like this (you can test your code over at regex101.com)...

| rex "(?m)(?<chunk>(at|foo)\s[^\)]*\)$)" max_match=0

When applying a table view to my search, the Java stack exception is not display well. How to resolve this?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?