Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use Eval to find all matching errors and display result count by error

akonduru
New Member
‎03-09-2016 09:57 PM

I tried below, but getting an error. It works if i limit the error to single message error1.

Here i dont have filed for error, so defining new variable test_msg and trying to match for any of the 3 messages..

index=test "common_error" | eval test_msg="error1" "error2" "error3" | stats count by test_msg

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-10-2016 11:39 AM

Your should use rex, may be along these lines to extract those errors into a field and then report on it.

ndex=test "common_error" | rex field=_raw "failed with an error (?<error_message>.*)" | stats count by error_message

Your eval fails as the syntax is incorrect . Also, eval is used to create a field from existing fields or static values, it can't extract field from raw data.

Update
Try something like this

index=test "common_error"  | eval test_msg=case(match(_raw,"known error1"),"known error1",match(_raw,"known error2"),"known error2",match(_raw,"known error3"),"known error3",......., 1=1,"New Error") | stats count by test_msg

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-10-2016 11:39 AM

Your should use rex, may be along these lines to extract those errors into a field and then report on it.

ndex=test "common_error" | rex field=_raw "failed with an error (?<error_message>.*)" | stats count by error_message

Your eval fails as the syntax is incorrect . Also, eval is used to create a field from existing fields or static values, it can't extract field from raw data.

Update
Try something like this

index=test "common_error"  | eval test_msg=case(match(_raw,"known error1"),"known error1",match(_raw,"known error2"),"known error2",match(_raw,"known error3"),"known error3",......., 1=1,"New Error") | stats count by test_msg
Reply
Solved! Jump to solution

akonduru
New Member
‎03-10-2016 05:51 PM

This worked like charm..thanks a lot for helping with this.

0 Karma
Reply
Solved! Jump to solution

akonduru
New Member
‎03-10-2016 01:47 PM

I tried below, which found some X number of events but below it displayed "no results found", so stats is not working?

index=test "common_error" | rex field=_raw "error1 (?.*)" | stats count by error_message

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-10-2016 01:57 PM

Check if the field extraction is working fine or not. Run this and see if you get values under error_message field.

index=test "common_error" | table _raw | rex field=_raw "error1 (?<error_message>.*)"
0 Karma
Reply
Solved! Jump to solution

akonduru
New Member
‎03-10-2016 02:05 PM

No, error_message is blank. Only _raw displays text of stack trace where error1 is part of huge stack trace.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-10-2016 02:15 PM

Did you try the updated answers??

0 Karma
Reply
Solved! Jump to solution

akonduru
New Member
‎03-10-2016 01:40 PM

Here, error_message needs to be replaced with "error1"/"error2"/"error3" ? in that case where we are defining error_message which is used for ordering.

Basically, all my errors are part of raw which is not mapped to any field.

How the query will look like for the following scenario?

OrderserviceImpl Exception: Workflow Exception ---> FileNotFoundException: ERR_234: File not found for cust_abc

OrderserviceImpl Exception: Workflow Exception ---> CustomerNotFoundException: ERR_453: Customer not found for cust_123

OrderserviceImpl Exception: Workflow Exception ---> InvalidInputException: ERR_443: Invalid Input

In the above error, "OrderserviceImpl" is common for all errors and remaining like "FileNotFoundException: ERR_234" varies.. i want to display count for each error message.

Thanks for helping with my questions.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-10-2016 06:24 AM

What error are you getting?
It would help to see some sample events that you are trying to match.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

akonduru
New Member
‎03-10-2016 06:48 AM

Events looks like below. I want to display report/Dash borad with all these erro1-4 in a report or dashborad and any new error should be displayed as new.. For now i am looking for count of all known errors.

16:30:24,115|Service:call common_error failed with an error error1

16:33:01,115|Service:call common_error failed with an error error2

13:30:08,115|Service:call common_error failed with an error error3

23:30:05,115|Service:call common_error failed with an error error4

0 Karma
Reply
Solved! Jump to solution

akonduru
New Member
‎03-10-2016 10:44 AM

The error i am getting is

Error in 'eval' command: The expression is malformed.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎03-09-2016 11:40 PM

.................................| eval test_msg="error*" | stats count by test_msg

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎03-09-2016 11:52 PM

it is better to use rex command to extract test_msg field whih contain all the error .
let me see your events

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...