Hi!
I am a relative new user of Splunk so I have only used basic search that works fine.
Background:
I'm a member of a team that maintenance a big Delphi application. That is deployed on 4 servers. If there is an exception in the application that is logged in a textfile.
This is an example how it could look like in the log:
20110429 14:39:07 (16616) [EXCEPTION] Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Inner Exception Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Call Stack:
[00] BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
[01] BoldSystem.TBoldSystem.UpdateDatabaseWithList (BoldSystem.pas:1868)
[02] BoldSystem.TBoldSystem.UpdateDatabase (BoldSystem.pas:1860)
[03] AttracsDBSync.TATSyncPersistenceHandle.DBSync (..\server\units\AttracsDBSync.pas:1071)
[04] AttracsDBSync.TATSyncPersistenceHandle.SyncSystemWithDatabase (..\server\units\AttracsDBSync.pas:1131)
[05] DMAttracs.TServerData.SyncSystemWithDatabase (..\server\code\DMAttracs.pas:467)
[06] DMAttracs.TServerData.ApplicationEventsIdle (..\server\code\DMAttracs.pas:494)
[07] AppEvnts.TCustomApplicationEvents.DoIdle (AppEvnts.pas:216)
[08] Forms.TApplication.Idle (Forms.pas:8533)
[09] Forms.TApplication.HandleMessage (Forms.pas:8124)
Question:
If I for example search for "[EXCEPTION]" I got a lot of hits like the one above. This is of type EBoldOperationFailedForObjectList but there are also many others.
Is there a way to count each typ of exception ?
For example if I have 15 exceptions today maybe 5 of those are EBoldOperationFailedForObjectList, 3 are EAccessViolation, 7 are EInvalidCast then I got this list:
Is it possible to get such list from Splunk or maybe a graph ?
Regards
Roland
Team Attracs
As JSapienza says, you want to do work with field extractions, but you can start with something like:
"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason
You can also play around with "| stats count by reason"
There is also no doubt a better way to express the RegEx, such as possibly:
rex field=_raw "Raised (?\w+)[:]"
But I'm horrible with RegEx.
As JSapienza says, you want to do work with field extractions, but you can start with something like:
"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason
You can also play around with "| stats count by reason"
There is also no doubt a better way to express the RegEx, such as possibly:
rex field=_raw "Raised (?\w+)[:]"
But I'm horrible with RegEx.
Im really impressed of what Splunk can do with some knowledge 🙂 Anyway this is want I want. Thanks!!!
Sounds like you need to do a field extraction for the Exceptions :
http://www.splunk.com/base/Documentation/4.2.1/Knowledge/Addfieldsatsearchtime
Then you can drill down and perform counts based on field with the stats command:
http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Stats