Getting Data In

Exception logging by time

ruffson
New Member

Hey Guys,

I'm having problems analyzing log files, which are printing out exceptions, traces and exceptions that are an outcome of the first exception.

So there are many lines caused by one exception which are presenting both other exceptions, caused by the first exception, and their traces.

Here is an example:

876 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 | de.ct.commons.exception.ObjectNotFoundException: java.lang.reflect.InvocationTargetException
877 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 |     at de.ct.commons.facade.category.CategoryFacadeDefaultImpl.getCategoryByCode(CategoryFacadeDefaultImpl.java:92)
938 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 |     at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
...
958 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 |     at java.lang.Thread.run(Thread.java:619)
959 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 | Caused by: de.ct.commons.exception.BaseException: java.lang.reflect.InvocationTargetException
961 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 |     at de.ct.commons.facade.category.CategoryFacadeDefaultImpl.getCategoryByCode(CategoryFacadeDefaultImpl.java:90)
962 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 |     ... 81 more
963 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.261 | Caused by: java.lang.reflect.InvocationTargetException
...
969 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.262 |     at de.ct.commons.cmd.HybrisCommandProcessor.execute(HybrisCommandProcessor.java:72)
970 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.262 |     ... 82 more
971 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.262 | Caused by: de.ct.commons.exception.ObjectNotFoundException: No category found with code men_flannel
972 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.262 |     at de.ct.commons.services.impl.CategoryServiceImpl.getHYCategory(CategoryServiceImpl.java:78)
973 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.262 |     at de.ct.commons.services.impl.CategoryServiceImpl.loadItemByCode(CategoryServiceImpl.java:33)
974 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.262 |     ... 88 more
975 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.462 | Jan 31, 2011 12:00:50 AM com.sun.facelets.FaceletViewHandler handleRenderException
976 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.462 | SEVERE: Error Rendering View[/pages/productoverview.xhtml]
978 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.462 |     at com.sun.facelets.tag.TagAttribute.getObject(TagAttribute.java:235)
979 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.462 |     at com.sun.facelets.tag.TagAttribute.getBoolean(TagAttribute.java:79)
974 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.262 |     ... 88 more
975 INFO   | jvm 1    | main    | 2011/01/31 00:00:50.462 | Jan 31, 2011 12:00:50 AM com.sun.facelets.FaceletViewHandler handleRenderException

So as you can see on the time stamp, this is one event caused by an exception and causing other exceptions (from 00:00:50.261 - 00:00:50.262) . What I want to do with splunk now is to get the exceptions (without their trace obviously) and list them, so I can analyze which of them occur with what frequency.

I tried it with findtypes, typelearner, field extracter etc. but nothing would help me to find similar exceptions, group and list them so that I can work with the data.

Can someone help me? Thank you very much!

Kind regards

0 Karma

woodcock
Esteemed Legend

You need the cluster command; try this:

sourcetype=MySourceType exception | cluster showcount=t | table cluster_count _raw | sort -cluster_count
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...