Hi all,

I want to count similar errors and stacktraces in order to prioritize them.

I have a search that works in most cases:

index=ix_dis_appl_p loglevel="ERROR" | rex "ERROR](?<actionab>.*)" | stats dc(SessionID) by actionab

Some error lines have unique id's which makes counting similar errors hard. Example 1:

n.r.g.m.a.b.s.m.ProcessSpecificMessageBusiness Unexpected service fault for OrderIdentification [orderId=1-HRT5HT5, unitOfWorkId=1-Q4W06K0]. Returning empty resultset.

The values like 1-HRT5HT5 & 1-Q4W06K0 make every error unique. All these error lines are in the results with a count of 1.

Example 2: A stack trace that has ids on the first line :

. Returning empty resultset. nl.abcd.gict.mcv.access.mcvsrvc.retrieve_process_specific_texts.client.exception.NoResultsException: Application fault: Error retrieving order 1-NSFV1RA-1-NSHGNZC at

This part makes every error unique: 1-NSFV1RA-1-NSHGNZC

How can I remove the id's in order to get a count with results as below:

n.r.g.m.a.b.s.m.ProcessSpecificMessageBusiness Unexpected service fault for OrderIdentification [orderId=, unitOfWorkId=]. Returning empty resultset. | 4185
. Returning empty resultset. nl.abcd.gict.mcv.access.mcvsrvc.retrieve_process_specific_texts.client.exception.NoResultsException: Application fault: Error retrieving order at| 2585

I have been trying with rex, sed but I can't make anything work out. Hope someone can help.