Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract more number of strings under the same field name?

Madhan45
Path Finder
‎07-17-2015 05:02 AM

my event is - "common.exceptions.CommandFailedAtServerException:
concurrent.ExecutionException:
common.SocketPoolException: Unable to connect socket ... 3 lines omitted: java.net.ConnectException: Connection refused ... 8 lines omitted ... common.exceptions.CommandFailedException: "

i want to extract strings "CommandFailedAtServerException, ExecutionException, SocketPoolException java.net.ConnectException CommandFailedException" from the above event under the single filed?

How can i do that?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 07:48 AM

Like this:

| rex max_match=0 "(?im).*?(?<Exceptions>[\S]*Exception[\S]*)"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 07:48 AM

Like this:

| rex max_match=0 "(?im).*?(?<Exceptions>[\S]*Exception[\S]*)"
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎07-20-2015 03:44 AM

And one more question. I have two source files and they are containing following fields
1.source=Order, fields= Key,Name,Product,Price
2.source=Delivery, fields=Key,Shipdat,delivery location,price,

The data which comes under "Delivery" should fall under "delivered" category for that i have used this join query ""source="Delivery.csv"| eval status="Delivered"|join Key [source=order.csv|]"" and i got the result.

So how to use the join query for the category "Not delivered"

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-30-2015 09:11 AM

Try this:

source="Delivery.csv" OR source="order.csv" | stats values(*) AS * BY Key | where isnull(delivery)

If that doesn't do it, ask a new question in the forum.

0 Karma
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎07-19-2015 08:12 PM

Hi woodcock.. thats really great... could u explain me the logic?

0 Karma
Reply
Solved! Jump to solution

Madhan45
Path Finder
‎07-20-2015 03:23 AM

great.. thanks a ton

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-19-2015 09:06 PM

The rex command takes the _raw field and applies the RegEx to it as many times as possible (max_match=0). The i is for ignore case and the m is for multiline. we skip as few characters as possible to get to non-whitespace characters that end with "Exception" followed by as many non-whitespace characters as possible (this creates the whitespace boundaries) and we call that captured string Exceptions.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...