- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to list count of Error messages
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have multiple error messages in the logs and I do count by ErrorMessage. The error messages gets listed as below.
ErrorMessage Count
Execute Hedging Failed 427
Execute Risk Failed 727
Unable to create parallel trade for trade ID 12345 400
Unable to create parallel trade for trade ID 23456 326
In the table above error message 1 and 2 are valid but the 3rd and 4th are the same except for the trade ID difference. I want to tweak my query in such a way that 3 and 4 are joined together and I get Unable to create parallel trade 726 (400+326).
My current query: index=XYZ sourcetype="Apache Log" Error | Stats count by PT_ErrMsg. PT_ErrMsg is field extract created for getting error message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
quick and dirty:
index=XYZ sourcetype="Apache Log" Error | eval ErrorMsg = if(like(PT_ErrMsg,"Unable to create parallel trade for trade ID%"),"Unable to create parallel trade for trade ID",PT_ErrMsg) | Stats count by PT_ErrMsg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
quick and dirty:
index=XYZ sourcetype="Apache Log" Error | eval ErrorMsg = if(like(PT_ErrMsg,"Unable to create parallel trade for trade ID%"),"Unable to create parallel trade for trade ID",PT_ErrMsg) | Stats count by PT_ErrMsg
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks it is working. What I should do if I want to do this for multiple error messages along with the one i mentioned above. For example
Failed to create trade for ID 1234 124 Failed to create for ID 3214 470
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep in this case the answer of richgalloway is the more accurate. As I said. It only was quick and dirty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's where the case statement in my answer is useful. Just add an entry to it for each message.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to convert similar error messages into a common form. Try this:
index=XYZ sourcetype="Apache Log" Error | eval PT_ErrMsg=case(match(PT_ErrMsg,"Unable to create parallel trade for trade ID.*"),"Unable to create parallel trade for trade ID" , 1=1, PT_ErrMsg) | Stats count by PT_ErrMsg
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Richgalloway, this is not working even for the message you have provided. It is listing all the unable to create trade.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used the wrong wildcard in the match command. The edited answer should work. Or you can use like as in PPape's answer.
If this reply helps you, Karma would be appreciated.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
