Splunk Search

How to create a report on error codes and how many times each occurred over a period of time using regex and timechart?

parameshjava
Explorer

In my application, it will print some error codes like OPT-00A001, OPT-00A002, OPT-00A003, upto OPT-00A010. I need to prepare a report to know each error code and how many times occurred over a period of time.

No idea how to use regex and timechart to get this kind of report. Please suggest.

0 Karma
1 Solution

sundareshr
Legend

Without actual logs, it is very difficult to isolate the pattern for your errorcode to write the correct regex. Having said that, if you error codes are always the same patter "OPT-" followed by 6 characters, then you can use this. This also assumes the error code appears only once an event. This also assumes, this pattern of OPT- followed by 6 chars doesn't occur anywhere else in the event. If it does, this regex will only get the first occurrence

| rex "(?<ec>OPT-\w{6})" | timechart count by ec

View solution in original post

sundareshr
Legend

Without actual logs, it is very difficult to isolate the pattern for your errorcode to write the correct regex. Having said that, if you error codes are always the same patter "OPT-" followed by 6 characters, then you can use this. This also assumes the error code appears only once an event. This also assumes, this pattern of OPT- followed by 6 chars doesn't occur anywhere else in the event. If it does, this regex will only get the first occurrence

| rex "(?<ec>OPT-\w{6})" | timechart count by ec

jmallorquin
Builder

Can you provide some lines of log just to ensure the rex match?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...