Solved: How to group type of exceptions in the log ?

Bero · ‎04-29-2011

Hi!
I am a relative new user of Splunk so I have only used basic search that works fine.

Background:
I'm a member of a team that maintenance a big Delphi application. That is deployed on 4 servers. If there is an exception in the application that is logged in a textfile.
This is an example how it could look like in the log:

20110429 14:39:07 (16616) [EXCEPTION] Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Inner Exception Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Call Stack:
    [00] BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
    [01] BoldSystem.TBoldSystem.UpdateDatabaseWithList (BoldSystem.pas:1868)
    [02] BoldSystem.TBoldSystem.UpdateDatabase (BoldSystem.pas:1860)
    [03] AttracsDBSync.TATSyncPersistenceHandle.DBSync (..\server\units\AttracsDBSync.pas:1071)
    [04] AttracsDBSync.TATSyncPersistenceHandle.SyncSystemWithDatabase (..\server\units\AttracsDBSync.pas:1131)
    [05] DMAttracs.TServerData.SyncSystemWithDatabase (..\server\code\DMAttracs.pas:467)
    [06] DMAttracs.TServerData.ApplicationEventsIdle (..\server\code\DMAttracs.pas:494)
    [07] AppEvnts.TCustomApplicationEvents.DoIdle (AppEvnts.pas:216)
    [08] Forms.TApplication.Idle (Forms.pas:8533)
    [09] Forms.TApplication.HandleMessage (Forms.pas:8124)

Question:
If I for example search for "[EXCEPTION]" I got a lot of hits like the one above. This is of type EBoldOperationFailedForObjectList but there are also many others.

Is there a way to count each typ of exception ?
For example if I have 15 exceptions today maybe 5 of those are EBoldOperationFailedForObjectList, 3 are EAccessViolation, 7 are EInvalidCast then I got this list:

EBoldOperationFailedForObjectList 5
EAccessViolation 3
EInvalidCast 7

Is it possible to get such list from Splunk or maybe a graph ?

Regards

Roland
Team Attracs

howyagoin · ‎05-01-2011

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]"

But I'm horrible with RegEx.

View solution in original post

howyagoin · ‎05-01-2011

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]"

But I'm horrible with RegEx.

Bero · ‎05-01-2011

Im really impressed of what Splunk can do with some knowledge 🙂 Anyway this is want I want. Thanks!!!

JSapienza · ‎04-29-2011

Sounds like you need to do a field extraction for the Exceptions :

http://www.splunk.com/base/Documentation/4.2.1/Knowledge/Addfieldsatsearchtime

Then you can drill down and perform counts based on field with the stats command:

http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Stats

How to group type of exceptions in the log ?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...