Reputation: 193
REGEX not working- Filter the Splunk results
I have Splunk results in following format:
2021-11-13 01:02:50.127 ERROR 23 --- [ taskExecutor-2] c.c.p.r.service.RedisService : The Redis Cache had no record for key: null Returning empty list.
2021-10-22 21:11:51.996 ERROR 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService : Could not delete file: /-/XYZ.FILE - 4: Failure
2021-10-22 02:05:14.426 ERROR 22 --- [ taskExecutor-1] c.c.p.r.service.SftpService : Could not delete file: /-/XYZ.FILE - 4: Failure
I want to create a Visualization in the following format:
| Error Message | Time | Error code | TaskExecutor Number | Service name | Count |
|---|---|---|---|---|---|
| The Redis Cache had no record for key: null Returning empty list. | 2021-11-13 01:02:50.127 | 23 | taskExecutor-2 | c.c.p.r.service.RedisService | 1 |
| Could not delete file: /-/XYZ.FILE - 4: Failure | 2021-10-22 21:11:51.996 | 22 | taskExecutor-1 | c.c.p.r.service. SftpService | 2 |
| Could not delete file: /-/XYZ.FILE - 4: Failure | 2021-10-22 02:05:14.426 | 22 | taskExecutor-1 | c.c.p.r.service. SftpService | 2 |
The count variable is based on the "Error Message" only. Since "Could not delete file: /-/XYZ.FILE - 4: Failure" appeared twice, hence the count is set to 2. As the logs grow, and this message occurrence increase, this count should increase too.
I tried using erex and substring from Splunk but kinda failed miserably!
Here is the query I tried:
index=my_index "ERROR * ---" "taskExecutor-*" | rex "^(?<Time>\S+\s+\S+)\s+\S+\s+(?<Error_Code>\d+)[^\]]+\]\s+(?<Service_Name>\S+)\:\s+(?<Error_Message>.+)"
| table Error_Message Time Error_Code Service_Name
| eventstats count as Count by Error_Message Error_Code Service_Name
Seems like there is a problem with the REGEX: https://regex101.com/r/smWKM8/2
Any help on how to fix this REGEX would be appreciated.
Thanks
Upvotes: 0
Views: 568
Answers (1)
Reputation: 9926
The regex is just missing some white space.
(?<Time>\S+\s+\S+)\s+\S+\s+(?<Error_Code>\d+)[^\]]+\]\s+(?<Service_Name>\S+)\s*:\s+(?<Error_Message>.+)
Based on the statement count variable is based on the "Error Message" only, I tweaked the query a little.
index=my_index "ERROR * ---" "taskExecutor-*"
| rex "^(?<Time>\S+\s+\S+)\s+\S+\s+(?<Error_Code>\d+)[^\]]+\]\s+(?<Service_Name>\S+)\s*:\s+(?<Error_Message>.+)"
| eventstats count as Count by Error_Message
| table Error_Message Time Error_Code Service_Name
Upvotes: 2
Related Questions
- Not able to match the regex
- splunk regex issue
- Splunk query not endswith
- Splunk: How to use multiple regular expressions in one query?
- Splunk not recognizing regex
- regex operator in Splunk is not working to match results
- Splunk subsearch for regex outputs
- RegEx in Splunk Search
- Splunk regex query returning no results
- A regex with Splunk