I tried below, but getting an error. It works if i limit the error to single message error1.
Here i dont have filed for error, so defining new variable test_msg and trying to match for any of the 3 messages..
index=test "common_error" | eval test_msg="error1" "error2" "error3" | stats count by test_msg
Your should use rex, may be along these lines to extract those errors into a field and then report on it.
ndex=test "common_error" | rex field=_raw "failed with an error (?<error_message>.*)" | stats count by error_message
Your eval fails as the syntax is incorrect . Also, eval is used to create a field from existing fields or static values, it can't extract field from raw data.
Update
Try something like this
index=test "common_error" | eval test_msg=case(match(_raw,"known error1"),"known error1",match(_raw,"known error2"),"known error2",match(_raw,"known error3"),"known error3",......., 1=1,"New Error") | stats count by test_msg
Your should use rex, may be along these lines to extract those errors into a field and then report on it.
ndex=test "common_error" | rex field=_raw "failed with an error (?<error_message>.*)" | stats count by error_message
Your eval fails as the syntax is incorrect . Also, eval is used to create a field from existing fields or static values, it can't extract field from raw data.
Update
Try something like this
index=test "common_error" | eval test_msg=case(match(_raw,"known error1"),"known error1",match(_raw,"known error2"),"known error2",match(_raw,"known error3"),"known error3",......., 1=1,"New Error") | stats count by test_msg
This worked like charm..thanks a lot for helping with this.
I tried below, which found some X number of events but below it displayed "no results found", so stats is not working?
index=test "common_error" | rex field=_raw "error1 (?.*)" | stats count by error_message
Check if the field extraction is working fine or not. Run this and see if you get values under error_message field.
index=test "common_error" | table _raw | rex field=_raw "error1 (?<error_message>.*)"
No, error_message is blank. Only _raw displays text of stack trace where error1 is part of huge stack trace.
Did you try the updated answers??
Here, error_message needs to be replaced with "error1"/"error2"/"error3" ? in that case where we are defining error_message which is used for ordering.
Basically, all my errors are part of raw which is not mapped to any field.
How the query will look like for the following scenario?
OrderserviceImpl Exception: Workflow Exception ---> FileNotFoundException: ERR_234: File not found for cust_abc
OrderserviceImpl Exception: Workflow Exception ---> CustomerNotFoundException: ERR_453: Customer not found for cust_123
OrderserviceImpl Exception: Workflow Exception ---> InvalidInputException: ERR_443: Invalid Input
In the above error, "OrderserviceImpl" is common for all errors and remaining like "FileNotFoundException: ERR_234" varies.. i want to display count for each error message.
Thanks for helping with my questions.
What error are you getting?
It would help to see some sample events that you are trying to match.
Events looks like below. I want to display report/Dash borad with all these erro1-4 in a report or dashborad and any new error should be displayed as new.. For now i am looking for count of all known errors.
16:30:24,115|Service:call common_error failed with an error error1
16:33:01,115|Service:call common_error failed with an error error2
13:30:08,115|Service:call common_error failed with an error error3
23:30:05,115|Service:call common_error failed with an error error4
The error i am getting is
Error in 'eval' command: The expression is malformed.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
.................................| eval test_msg="error*" | stats count by test_msg
it is better to use rex command to extract test_msg field whih contain all the error .
let me see your events