Hi, I want to create a chart for my tomcat logs.
In result there should be a summarized countet statistic for the different log levels like INFO, DEBUG, WARN, ERROR, FATAL, TRACE
The statistic should be between a time frame like the last whole week and the last whole month.
My logs looks like this example:
INFO ;2012-04-11 08:37:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
DEBUG ;2012-04-12 09:72:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
WARN ;2012-04-13 10:34:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
ERROR ;2012-04-14 12:56:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
FATAL ;2012-04-15 09:35:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
TRACE ;2012-04-16 08:45:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
What I get for the moment is a counted report from only lets say the INFO level like:
source="/opt/logs/radical-up.090909x.log" INFO | timechart sum(count) as "INFOSTATUS"
But how can I create a search which includes all other 5 remaining log levels and generates a nice summarized chart for me.
brgds. from sdohn
So, if INFO, DEBUG, WARN ERROR FATAL and TRACE are already being extracted i assume? If not, you should extract them with a field extraction and call them something like "STATUS".
Then you should be able to do | timechart sum(count) AS
This should give you a nice little chart with the count of each event by the status code above..
Unfortunalety your example does not work for me.
Maybe I do not correctly interpret it.
source="websample.log" | timechart sum(count) AS < status="202" status="404" > by status
Hi thanks for your answer, for the moment your example does not work for me.
Lets work on a real example.
I've download this logfile:
http://innovato.com/splunk/websample.log
When I fire up this query I get the timechart where all available status codes will be sum
source="websample.log" status="*" | timechart sum(count)
But how to get a sum(count) timechart report where I can get a bar for lets say:
all status codes 200 bar in color green
all status codes 404 bar in color red
And all in one report
thanks!