You can try something like this.
<base_search>
| eval
error=coalesce(spath(response, "errors{}"), spath(response, "errors"))
| fields - response
``` extract variables from the error messages ```
| rex field=error "(?i)sub\s+\'(?<sub>[^\']+)\'"
| rex field=error "(?i)product\s+id\s+(?<product_id>[^\s]+)"
| rex field=error "(?i)location\s+id\s+(?<location_id>[^\s]+)"
| rex field=error "(?i)datetime\s+(?<start_datetime>\w+\s+\d{4}(?:\-\d{2}){2}T\d{2}(?:\:\d{2}){2}(?:\+|\-)\d{2}\:\d{2})"
``` replace variables in the error messages to get a standardized set of error messages to do counts against ```
| eval
error=replace(replace(replace(replace(error, "(?i)sub\s+\'([^\']+)\'", "sub '***'"), "(?i)product\s+id\s+([^\s]+)", "product id ***"), "(?i)location\s+id\s+([^\s]+)", "location id ***"), "(?i)datetime\s+(\w+\s+\d{4}(?:\-\d{2}){2}T\d{2}(?:\:\d{2}){2}(?:\+|\-)\d{2}\:\d{2})", "datetime ***")
``` stats aggregation to get counts of error messages ```
| stats
count as count,
values(sub) as sub,
values(product_id) as product_id,
values(location_id) as location_id,
values(start_datetime) as start_datetime
by error
Results should look something like this.
You can see the counts next to the standardized error messages. Also went ahead and carried over all the variables that were replaced in error messages for context.
You could also check out the cluster command as this will give you similar results without having to do all the extractions and replacements in inline SPL.
<base_search>
| table _time, response
| eval
error=coalesce(spath(response, "errors{}"), spath(response, "errors"))
| fields - response
| cluster field=error t=0.4 showcount=true countfield=count
Results will look like this.
The error messages aren't redacted but their counts do line up pretty well to the previous example so the clustering appears to work decently.
You can read up more on the cluster command here.
https://docs.splunk.com/Documentation/Splunk/9.1.2/SearchReference/Cluster
