[SOLVED] Regex does not work on nearly identical raw data in Splunk


Im using Splunk (data monitoring) and I have a regex that checks our logs and needs to return some info of a job failure. The regex works pretty good but for one job failure it does not output anything but for another nearly identical one it does. I’ve tried with regex checker but don’t get any definitive answer.
Splunk regular expressions are PCRE (Perl Compatible Regular Expressions) and use the PCRE C library.

The regex in question:
"(Exception \W: |Exception: |Microsoft.Data.SqlClient.SqlException | Exception\s \(\dx\d{8}\)\: | Microsoft.Data.SqlClient.SqlException\s \(\dx\d{8}\)\: )(?<ErrInfo2>[A-Za-z0-9\[email protected]\/<#&->+?=:$!',\\\)(;-]+)"

Piece of text it works on :

Microsoft.Data.SqlClient.SqlException (0x80131904): Transaction (Process ID 76) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

Piece of text it doesn’t work on:

System.Data.SqlClient.SqlException (0x80131904): Cannot insert duplicate key row in object ‘collecting.IstHochrechnung’ with unique index ‘IX_IstHochrechnung_Year_CostUnitId_CostCenterId’. The duplicate key value is (2022, 2605, 333).

The part Exception\s \(\dx\d{8}\)\: takes care of the (0x80131904): entry so i dont see why it would remain empty.

Any help is more than appreciated!!


One is using the namespace Microsoft.Data and the other System.Data. You just need to make it so it doesn’t matter.

(Exception \W: |Exception: | ?\w{1,}.Data.SqlClient.SqlException\s ?\(\dx\d{8}\)\: )(?<ErrInfo2>[A-Za-z0-9\[email protected]\/<#&->+?=:$!',\\\)(;-]+)

This still cares about the namespace, but has made it so that the first segment can be any word. E.g. test.Data.SqlClient.

I always test on regex101.com

Here is a smaller query as well… noticed you had a fair bit of duplication.

[\w\.]{1,}Exception ?\(0x\d{8}\)?: ?(?<ErrInfo2>[A-Za-z0-9\[email protected]\/<#&->+?=:$!',\\\)(;-]+)

Answered By – Monofuse

Answer Checked By – Willingham (BugsFixing Volunteer)

Leave a Reply

Your email address will not be published. Required fields are marked *