Solved: How to compare search result of logs from producti...

raghavendrasred · ‎10-02-2015

I want compare the 2 search result error logs and show the result.
I want to compare based on "Error" log of 2 search result.

One search result from prod:

*NullPointerException*  index=prod | search log_level="ERROR" OR log_severity="Error" OR status>399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | fieldformat FirstOccurence=strftime(FirstOccurence,"%m/%d/%y %H:%M:%S") | fieldformat LastOccurence =strftime(LastOccurence,"%m/%d/%y %H:%M:%S") | eval Error = static_msg | Table Error  count FirstOccurence LastOccurence | sort –count

Search result from QA:

*NullPointerException*  host=$host$ | search log_level="ERROR" OR log_severity="Error" OR status&gt;399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | fieldformat FirstOccurence=strftime(FirstOccurence,"%m/%d/%y %H:%M:%S") | fieldformat LastOccurence =strftime(LastOccurence,"%m/%d/%y %H:%M:%S") | eval Error = static_msg | Table Error  count FirstOccurence LastOccurence | sort –count

I tried diff like eval diff = prod - qa it's showing difference of count or number of entries displayed, but I am looking for actual log differences.

somesoni2 · ‎10-09-2015

Try something like this

| set diff [search *NullPointerException*  index=prod log_level="ERROR" OR log_severity="Error" OR status>399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | convert ctime(*Occurrence) timeformat="%m/%d/%y %H:%M:%S" | rename  static_msg as Error| Table Error  count FirstOccurence LastOccurence] [search *NullPointerException* host=$host$ log_level="ERROR" OR log_severity="Error" OR status>399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | convert ctime(*Occurrence) timeformat="%m/%d/%y %H:%M:%S" | rename  static_msg as Error| Table Error  count FirstOccurence LastOccurence ] | sort –count

View solution in original post

somesoni2 · ‎10-09-2015

Try something like this

| set diff [search *NullPointerException*  index=prod log_level="ERROR" OR log_severity="Error" OR status>399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | convert ctime(*Occurrence) timeformat="%m/%d/%y %H:%M:%S" | rename  static_msg as Error| Table Error  count FirstOccurence LastOccurence] [search *NullPointerException* host=$host$ log_level="ERROR" OR log_severity="Error" OR status>399 | stats earliest(_time) as FirstOccurence latest(_time) as LastOccurence count by static_msg | convert ctime(*Occurrence) timeformat="%m/%d/%y %H:%M:%S" | rename  static_msg as Error| Table Error  count FirstOccurence LastOccurence ] | sort –count

raghavendrasred · ‎10-09-2015

it not worked.

I tried another way..

it should work like vlookup, but it is not working..

raghavendrasred · ‎10-12-2015

Thanks. now i got the result in single Error field.
in result we have both the records of production and QA in single field as Error. The Error contains the 2 records with same message(like 2 entry with message "Failed to process ospp message."). Is it possible to highlight common records present in result.

raghavendrasred · ‎10-09-2015

Please some one answer the above request.

How to compare search result of logs from production server to QA search result logs?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life