Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

filtering errors based on two timestamps

Nisha18789
Builder
‎10-23-2013 05:48 AM

I have a site and errors on that site are being recorded in splunk.
I basically need to filter out those error which occur due to a particular deployment for that sourcetype.
suppose before 10 days of deployment Errors(Exceptions) were: A,B, C and D
after 2 days of deployment errors were: A, B,C, D and E

so need to prepare a query which gets the result as E i.e, the new errors that are occurring after the recent deployment.

we need to compare the Message's first 100 characters of today's error with that of previous days. And if the message has occured before also, then we will ignore that message in result. The result should include only fresh messages after a particular deployment.
also the only characteristic feature of the error is 'Message' which has value like: 'Advisory Code: 1315 was not found in the CMS....' we need to compare first 100 letters approx.

please help me out....

Tags (1)
0 Karma
Reply

lpolo
Motivator
‎10-23-2013 06:52 AM

Since your question does not have any specific log event example use the following after your splunk query construct:

include your splunk query construct that identifies your deploy error events here| eventstats latest(_time) as ltime by host | where _time=ltime

The result set should be the last event "deployment error" found in each host.

Thanks,
Lp

0 Karma
Reply

Nisha18789
Builder
‎10-24-2013 05:29 AM

Could you please tell me how to find the difference in two searches which will solve my problem as
(search for errors during past 2 days)- (search for errors during past 30 days)= required result

0 Karma
Reply

Nisha18789
Builder
‎10-24-2013 05:17 AM

I used the query but its not giving me the required output since I want the particular deployment error ie all other errors which were common in previous 30 days n after deployment should be filtered out. Please help...

0 Karma
Reply

lpolo
Motivator
‎10-24-2013 04:54 AM

To learn about the Splunk query language you can start with this online book:
http://www.splunk.com/goto/book

You may try this:
Assuming that the event sample is indexed in the main index:

index=main EventCode=0 EventIdentifier=0 EventType=3 SourceName="some value"|eventstats latest(_time) as ltime by host | where _time=ltime|table host TimeGenerated RecordNumber ComputerName Message

Reply

Nisha18789
Builder
‎10-23-2013 10:26 PM

I am posting a sample event log

20131024002915.000000

Category=0

CategoryString=NULL

EventCode=0

EventIdentifier=0

EventType=3

Logfile="some value"

RecordNumber=5866554

SourceName="some value"

TimeGenerated=20131024042915.000000-000

Type=Information
User=NULL

ComputerName="some value"

wmi_type="Application Name"

Message=Advisory Code: 1249 was not found in the CMS. Description:We are not able to find any rates that match the qualifiers you specified. Please modify your search criteria, or select from the alternates.

0 Karma
Reply

Nisha18789
Builder
‎10-23-2013 09:34 PM

I do not know how to make that query construct that identifies deploy error events. That is what am asking.
I am posting event log as an answer as it will not be visible clearly here in comment.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...