Filter access log by time of exceptions in syslog ...

staffang · ‎10-12-2015

I have a log4j syslog which throws a few nullpointers every day like:

2015-10-05 00:00:53,042 ERROR DefaultExceptionMapper - Unexpected error occurred
java.lang.NullPointerException
    at some.java.code.of.mine(SomeJavaFileOfMine.java:318)`

I am having some thoughts about these calls being from google-bots indexing the webpage and I would hence like to figure out which IP-adresses that are causing these exceptions by comparing the time of the exception with the times in our access logs.

An event in the access log looks something like:

2XX.1XX.XXX.XXX - - [05/Oct/2015:10:48:02 +0200] 
"GET SOMETHING HTTP/1.1" 200 31912 "SOME URL" 
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) 
Gecko/20100101 Firefox/41.0" www.someurl.com SOME_STAT_COOKIE_ID=-

How do I do to get a list of the ip-adresses which are making requests at all of times certain exceptinos occur in my syslog?

I have tried with the following Splunk-query but with no results:

source="access_log" | eval timez=strftime(_time, "%H:%M %m-%d-%y") | search [search source="frontend.log" SomeJavaFileOfMine "java.lang.NullPointerException" | eval timez=strftime(_time, "%H:&M %m-%d-%y") | fields timez]

woodcock · ‎10-12-2015

Like this:

search source="frontend.log" SomeJavaFileOfMine "java.lang.NullPointerException" | eval exceptionTime = _time | map search="search earliest=$exceptionTime$ latest=$exceptionTime$ source="access_log | stats count by IPAddressFieldName"

Filter access log by time of exceptions in syslog with splunk

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!