Dashboards & Visualizations

Dashboard for Error Reporting

freephoneid
Path Finder

Hi,

I want to create a dashboard which will show error reporting within the log file:

[2011-09-12 14:13:00:605 GMT][com.abc.rest.Security][http-8080-Processor15] ERROR Unable to decrypt token [abc.com=3502639832.36895.0000; path=/] due to error: Input length must be multiple of 16 when decrypting with padded cipher
[2011-09-12 14:13:00:608 GMT][com.abc.filters.AuthenticationFilter][http-8080-Processor15] DEBUG ValidAuthToken: false
[2011-09-13 16:43:40:134 GMT][com.abc.PerfManager][http-8080-Processor13] ERROR Operation Failed: GET_ACCOUNT_ORDER [Status Code: 0150 Message: ACCESS_DENIED]
[2011-09-13 16:43:40:137 GMT][com.abc.rest.ResolvePackage][http-8080-Processor13] WARN MCE error occurred [StatusCode: 0150]

The above errors are occurring at different times more than once & I want to count those all & show pie chart of all these errors with their count. Basically, these errors could be anything which starts with ERROR.

I should also get the Top10 warnings in the logs with their count.

How could I categorize different errors so that I can show it in dashboard???

I couldn't find a good way to implement it in Splunk. Can any one help me out on how to implement it in splunk?

Thanks!

Tags (2)
0 Karma
1 Solution

Ayn
Legend

We cannot tell you EXACTLY how to resolve your issue without knowing more exact details about your errors. How are errors identified? What level of detail do you want when extracting error information? What issues are you currently running into, extracting the error information or creating the dashboard, or...

If errors are identified by for instance what's between "ERROR " and " [", just create a field extraction that will handle that.

index=abc | rex "ERROR (?<error>.+?) \["

This will give you various error types as values in the "error" field. If you want to get the top 10 error types, use:

index=abc | rex "ERROR (?<error>.+?) \[" | top 10 error

If you want permanent extractions, use the Interactive Field Extractor or create your own in props.conf / transforms.conf.

0 Karma

freephoneid
Path Finder

Hi,

Thanks for the reply. I defined different event types as shown below:

 [Auth_Error_Eventtype]
 search = "index=abc Auth error"

 Conn_Error_Eventtype
 search = "index=abc error while connecting"

Here, I've to specify each & every search string for specific errors. If any new error occurs tomorrow, then it'll not be captured here as I'll be going through only these defined list of eventtypes.

I'm sure this is a pretty common issue with any type of error reporting. Can you tell me exactly how to resolve this issue?

Thanks!

0 Karma

Damien_Dallimor
Ultra Champion
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...