Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract more number of strings under the same field name?

Madhan45
Path Finder
‎07-17-2015 05:02 AM

my event is - "common.exceptions.CommandFailedAtServerException:
concurrent.ExecutionException:
common.SocketPoolException: Unable to connect socket ... 3 lines omitted: java.net.ConnectException: Connection refused ... 8 lines omitted ... common.exceptions.CommandFailedException: "

i want to extract strings "CommandFailedAtServerException, ExecutionException, SocketPoolException java.net.ConnectException CommandFailedException" from the above event under the single filed?

How can i do that?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 07:48 AM

Like this:

| rex max_match=0 "(?im).*?(?<Exceptions>[\S]*Exception[\S]*)"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 07:48 AM

Like this:

| rex max_match=0 "(?im).*?(?<Exceptions>[\S]*Exception[\S]*)"
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎07-20-2015 03:44 AM

And one more question. I have two source files and they are containing following fields
1.source=Order, fields= Key,Name,Product,Price
2.source=Delivery, fields=Key,Shipdat,delivery location,price,

The data which comes under "Delivery" should fall under "delivered" category for that i have used this join query ""source="Delivery.csv"| eval status="Delivered"|join Key [source=order.csv|]"" and i got the result.

So how to use the join query for the category "Not delivered"

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-30-2015 09:11 AM

Try this:

source="Delivery.csv" OR source="order.csv" | stats values(*) AS * BY Key | where isnull(delivery)

If that doesn't do it, ask a new question in the forum.

0 Karma
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎07-19-2015 08:12 PM

Hi woodcock.. thats really great... could u explain me the logic?

0 Karma
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎07-20-2015 03:23 AM

great.. thanks a ton

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-19-2015 09:06 PM

The rex command takes the _raw field and applies the RegEx to it as many times as possible (max_match=0). The i is for ignore case and the m is for multiline. we skip as few characters as possible to get to non-whitespace characters that end with "Exception" followed by as many non-whitespace characters as possible (this creates the whitespace boundaries) and we call that captured string Exceptions.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...