Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to group the messages by exception message present in stack_trace field of a json event?

ghostrider
Path Finder
‎10-11-2022 04:23 AM

I have json events/messages in my search result. There is a field or property called "stack_trace" in the json like below. I want to group the events and count them as shown below based on the Exception Reason or message. The problem is traces are multi lined and hence below query that I am using is, it seems not able to extract the exact exception message. Is there a way to achieve the expected output? 

Event

 

 

 

{

MESSAGE : Failed to send 
stack_trace : com.abc.xyz.package.ExceptionName: Missing A.
at random.package.w(DummyFile1:45)
at random.package.x(DummyFile2:64)
at random.package.y(DummyFile3:79)



}

 

 

 

 

Query I am using

 

 

 

MY_SEARCH | rex field=stack_trace "(?<exceptionclass>\w+): (?<exceptiontext>\w+)."
| stats count as Count by "exceptiontext"

 

 

 

 

Expected Output

 

 

 

Exception     Count

Missing A     3
Missing B     4
Missing C     1

 

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-11-2022 04:49 AM

Hi @ghostrider,

you have to review your regex, please try this:

MY_SEARCH 
| rex field=stack_trace "ExceptionName: (?<exceptiontext>[^\.]+)"
| stats count as Count by "exceptiontext"

that you can test at https://regex101.com/r/OAJ4Iw/1

Ciao.

Giuseppe

Reply

ghostrider
Path Finder
‎10-11-2022 06:10 AM

Thank you!!. Issue is "ExceptionName" this is not same for all the exceptions. Is there a way to completely ignore this field and just get the exception message?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-11-2022 06:29 AM

Hi @ghostrider,

sorry but I don't understand you need: maybe you should categorize the messages to find all the regexes to extract the message.

If you could share a sample of the other kind of logs I could try to find a regex.

Ciao.

Giuseppe

 

Reply

ghostrider
Path Finder
‎10-11-2022 07:12 AM

Ok. So I am trying to say is currently we can have different exceptionnames in the events like below. In this case your query will not work since you are matching the ExceptionName literally. So is there any way to ignore the entire text till ":" and just extract the "Missing A" etc part?

Event 1

 

{

MESSAGE : Failed to send 
stack_trace : com.abc.xyz.package.ExceptionName: Missing A.
at random.package.w(DummyFile1:45)
at random.package.x(DummyFile2:64)
at random.package.y(DummyFile3:79)
}

 

 

Event 2

 

{

MESSAGE : Failed to send 
stack_trace : com.abc.xyz.package.OtherExceptionName: Missing B.
at random.package.w(DummyFile1:45)
at random.package.x(DummyFile2:64)
at random.package.y(DummyFile3:79)
}

 

 

 

{

MESSAGE : Failed to send 
stack_trace : com.abc.xyz.package.SomeOtherExceptionName: Missing C.
at random.package.w(DummyFile1:45)
at random.package.x(DummyFile2:64)
at random.package.y(DummyFile3:79)
}

 

 

Event 3 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-11-2022 07:27 AM

Hi @ghostrider,

you have to identify the string to capture.

Viewing your sample with the same regex, you can take all the messages as you can see at https://regex101.com/r/OAJ4Iw/2

It's not relevant if before ExceptionName there something else, it's important that there's "ExceptionName: ".

If you haven't this word it's difficoult because you have many colons in your logs so it isn't sufficient to identify the string to capture.

Ciao.

Giuseppe

Reply

ghostrider
Path Finder
‎10-11-2022 11:53 PM

Yes thanks your query is perfect. Just was curious is there any way to include in the regex one condition to extract the string till the current line only and not go to next line? Currently you are having "." as the limiting char till which we can read the string

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-12-2022 10:45 PM

@ghostrider have you tried just using

 

 

| rex field=stack_trace "^(?<classname>.+)\.\w+: (?<exceptiontext>.+)"

 

 

Using your sample data, output is like

classnameexceptiontextstack_trace
com.abc.xyz.packageMissing A.com.abc.xyz.package.ExceptionName: Missing A.
at random.package.w(DummyFile1:45)
at random.package.x(DummyFile2:64)
at random.package.y(DummyFile3:79)

By default, rex stops at the first line.

Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-12-2022 02:57 AM

You have to anchor your regex somewhere 🙂

Otherwise the regex processor will not know where to start or stop. That's why the constant part of ExceptionName. Regex is a simple tool which matches strings to patterns, it doesn't understand "business logic" and cannot guess what you want 😉

So you have to either anchor it with a specific constant term(s) or restrict it to a special pattern. There's no way around it. You could try extracting, for example, a second line from each matching event, but then you'd have to be sure it's always on the second line.

Reply

gcusello
SplunkTrust
SplunkTrust
‎10-12-2022 02:30 AM

Hi @ghostrider,

sorry but I don't understand, could you share and highlit what you want to extract?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...