Splunk Search

How to create a timechart of unique error messages by service with the error message and count on the line chart?

vineetc
Engager

I am planning to plot Unique error messages by a service with time, but don't know how to grab unique value. I can map the unique error message by time , but the point is to plot them by service and then time on the x-axis.

I believe it can be done by the table command, but how do I use table with a unique value of error by service.

Gives Timechart by error message:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | timechart count by error_msg

Gives Timechart by service:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | timechart count by service

I want to plot by time which should show error msg by service, but this doesn't work:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | stats dc(error_msg) by service

I want the service names in the legend, showing the count and description of unique error when I hover the mouse on the line chart.

0 Karma

woodcock
Esteemed Legend

This probably isn't perfectly suitable for you but I believe it will meet your needs:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | eval error_by_service = service . ":" . error_msg | timechart count by error_by_service
0 Karma

woodcock
Esteemed Legend

Did this work?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...