Im using Splunk (data monitoring) and I have a regex that checks our logs and needs to return some info of a job failure. The regex works pretty good but for one job failure it does not output anything but for another nearly identical one it does. I’ve tried with regex checker but don’t get any definitive answer.
Splunk regular expressions are PCRE (Perl Compatible Regular Expressions) and use the PCRE C library.
The regex in question:
"(Exception \W: |Exception: |Microsoft.Data.SqlClient.SqlException | Exception\s \(\dx\d{8}\)\: | Microsoft.Data.SqlClient.SqlException\s \(\dx\d{8}\)\: )(?<ErrInfo2>[A-Za-z0-9\s_@.\/<#&->+?=:$!',\\\)(;-]+)"
Piece of text it works on :
Microsoft.Data.SqlClient.SqlException (0x80131904): Transaction (Process ID 76) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
Piece of text it doesn’t work on:
System.Data.SqlClient.SqlException (0x80131904): Cannot insert duplicate key row in object ‘collecting.IstHochrechnung’ with unique index ‘IX_IstHochrechnung_Year_CostUnitId_CostCenterId’. The duplicate key value is (2022, 2605, 333).
The part Exception\s \(\dx\d{8}\)\: takes care of the (0x80131904): entry so i dont see why it would remain empty.
Any help is more than appreciated!!
>Solution :
One is using the namespace Microsoft.Data and the other System.Data. You just need to make it so it doesn’t matter.
(Exception \W: |Exception: | ?\w{1,}.Data.SqlClient.SqlException\s ?\(\dx\d{8}\)\: )(?<ErrInfo2>[A-Za-z0-9\s_@.\/<#&->+?=:$!',\\\)(;-]+)
This still cares about the namespace, but has made it so that the first segment can be any word. E.g. test.Data.SqlClient.
I always test on regex101.com
Here is a smaller query as well… noticed you had a fair bit of duplication.
[\w\.]{1,}Exception ?\(0x\d{8}\)?: ?(?<ErrInfo2>[A-Za-z0-9\s_@.\/<#&->+?=:$!',\\\)(;-]+)