Splunk Search

How to retrieve top 20 errors from all application logs

edwinmae
Path Finder

All my application logs are 'indexed' as 'customer'_application. The below shows all my Events just fine

index = *_application sourcetype = * source = * host = *

The below shows all my errors/Errors in all the Events just fine

index = *_application sourcetype = * source = * host = * error

I know that error is not a field and it must be extracted first . Unfortunately I haven't succeeded with that.
Please note that all the different application-logs are not constructed (build) in the same way. The below gives me basically the desired setup, except that the 'error' message itself is missing.

index=*_application sourcetype=* source=* host=*  Error |  top limit=20 host sourcetype source

Is it even possible to achieve this or is certain log pattern (structure) a must. If this would be possible, how?

0 Karma

ngatchasandra
Builder

Hi edwinmae,

I think that It is normal that the error message is missing ,because your results (index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source) displayed in the form of table. you can click on Events tab to review
error in events.

Assure you that you are in Verbose mode before run your search query.

So no problem! Your result matches the events that contain the error message.

Note: Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .

Link for tag concept:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags

0 Karma

edwinmae
Path Finder

First of all --- Thanks for your quick response

The below gives me the desired output, except for the message itself
index=_application sourcetype= source=* host=* Error | top limit=20 host sourcetype source

I am able to see the log 'messages/events' (with Error) by clicking on the 'log-file (links)' listed under sourcetype (after the search), but I would like to have have an additional column like 'message' that shows me (only) the errors that occured most.

 index=*_application sourcetype=* source=* host=*  Error |  top limit=20 host sourcetype source message

I know there is no field like message; I tried to get the errors listed with rex but was unsuccessful to achieve this.

0 Karma

ngatchasandra
Builder

Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .

0 Karma

ngatchasandra
Builder

In this case, you will give message like the name of your tag

0 Karma

ngatchasandra
Builder

This is because you search through many application-logs.

Follow link to have information about tag:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...