- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to display the output for tomcat logs with sta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to display the output for tomcat logs with starttime and endtime?
Hi,
For query
(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"|stats count(detail) as ct by detail
I get the following:
detail ct
SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception 11
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception 6
Now I want to include the start mtime and end mtime in the output so that I can see something like following:
SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception 11 starttime endtime of the 11 events
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception 6 starttime of the 6 events endtime of the 6 events
SEVERE [tomcat-http--20] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception 1 starttime endtime (where both starttime = endtime because only 1 event)
Tried with eventstats min(mtime) and max(mtime), but getting min of mtime of all the 18 events. Running out of ideas.
could someone advise me how to achieve this?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^dd-www-ddddsdd:dd:dd.ddd)s(?.*)"| transaction detail|eval startt=min(mtime)|eval endt=max(mtime)|table detail, source, host, startt, endt, eventcount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lim2
You put this search in the Answer section, but didn't include any context what this was for. Did this search solve your question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your input look like?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"| transaction detail|eval startt=min(mtime)|eval endt=max(mtime)|stats count(detail) by detail, source, host, startt, endt
The above query is giving me the right starttime and endtime
But count(detail) is always 1.
How to get ct of events in each transaction, 5 events ? like in http://docs.splunk.com/File:TransactionEx3_eventsList.png
23-Mar-2015 10:28:22.299 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 77 lines omitted ...
23-Mar-2015 10:28:37.566 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:28:50.962 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:30:31.844 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:31:04.643 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp]
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
