-1

I want to extract the kind of error and store it in the field error_type for each event.

I have three kinds of errors majorly occurring in my logs within different events.

I want that error_type should populate only the error that particular event has.

I tried extracting the field from the Splunk logs but I am unable to add a regex or regular expression with OR field for the error types.

Also, I want that if the error apart from A, B or C is present in any other event should not populate the error_type field in the event. Is this possible??

warren
  • 32,620
  • 21
  • 85
  • 124
knowledge20
  • 1,006
  • 3
  • 14
  • 25
  • 1
    Help us help you. Please provide examples of the events from which you wish to extract the field (make sure it's clear where the field is). Please also tell what you've tried already and what the results were. Why can you not use regex? – RichG May 05 '21 at 11:38
  • @RichG [KafkaConsumerDestination{consumerDestinationName='stg.queuing.OMS.People', partitions=0, dlqName='null'}.container-0-C-1] o.s.i.h.LoggingHandler - All attempts to deliver Message to MessageHandlers failed.; nested exception is org.springframework.messaging.MessageHandlingException: error occurred during processing message in 'MethodInvokingMessageProcessor' [org.springframework.integration.handler.MethodInvokingMessageProcessor@7e44a4a]; nested exception is java.lang.NullPointerException, failedMessage=GenericMessage [payload=FailedDeserializationInfo{topic='value', – knowledge20 May 05 '21 at 21:03
  • Above is one of the event and i am looking to capture java.lang.NullPointerException. However, I have multiple events coming in one search with different logs for different error. How do I add to a single variable – knowledge20 May 05 '21 at 21:05

1 Answers1

0

You didn't why you can't use regex so I'm going to use one. There is more than one exception in the sample event, which the rex command can handle just fine. Then we'll use mvindex to select the last exception found.

... | rex max_match=0 "nested exception is (?<exceptions>[^\[]+)"
| eval variable = mvindex(exceptions, -1)
| ...

As with most Splunk queries, each event is processed separately so there is little concern about multiple events appearing in a search. This query will return a single variable for each error event found.

RichG
  • 9,063
  • 2
  • 18
  • 29