How to display the output for tomcat logs with sta...

lim2 · ‎03-23-2015

Hi,
For query

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw  "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"|stats count(detail) as ct by detail

I get the following:

detail  ct
SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    11
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    6

Now I want to include the start mtime and end mtime in the output so that I can see something like following:

SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    11  starttime  endtime of the 11 events
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    6   starttime of the 6 events endtime of the 6 events
SEVERE [tomcat-http--20] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    1   starttime  endtime (where both starttime = endtime because only 1 event)

Tried with eventstats min(mtime) and max(mtime), but getting min of mtime of all the 18 events. Running out of ideas.
could someone advise me how to achieve this?

Thanks.

lim2 · ‎03-28-2015

ppablo · ‎03-30-2015

Hi @lim2

You put this search in the Answer section, but didn't include any context what this was for. Did this search solve your question?

richgalloway · ‎03-23-2015

What does your input look like?

---
If this reply helps you, Karma would be appreciated.

lim2 · ‎03-28-2015

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"| transaction detail|eval startt=min(mtime)|eval endt=max(mtime)|stats count(detail) by detail, source, host, startt, endt
The above query is giving me the right starttime and endtime
But count(detail) is always 1.
How to get ct of events in each transaction, 5 events ? like in http://docs.splunk.com/File:TransactionEx3_eventsList.png

23-Mar-2015 10:28:22.299 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 77 lines omitted ...
23-Mar-2015 10:28:37.566 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:28:50.962 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:30:31.844 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:31:04.643 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp]

How to display the output for tomcat logs with starttime and endtime?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!