Splunk Search

How to edit my search to get a list total of unique exception and error?

jw44250
New Member

Getting 5-10 logs file and there could be error, exceptions, root cause may appear all at once, or only error or exceptions

This is the Splunk command used but not getting the properly results

 "ERROR" OR Exception | rex ".*?(?(?:\w+\.)+\w*?Exception).*"
           | stats count by exception
Tags (3)
0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi jw4425,

Your rex syntax seems incorrect. A field name should be provided to which to assign the captured group, something like this:

... | rex ".*(?<new_field_name>+\w*?Exception).*"

For details, see http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex.

Hope this helps. Thanks!
Hunter

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share some sample data along with the expected results.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jw44250
New Member

log1.log
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: No task status found for ID:

2017-01-09T17:14:41.708+0000 ERROR : loggerName="test1" threadName="2121212" Uncaught exception: null
java.nio.BufferUnderflowException: null
at java.nio.Buffer.nextGetIndex(Buffer.java:506)
at java.nio.HeapByteBuffer.getLong(HeapByteBuffer.java:412)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: No task status found for ID

log2.log
017-01-09T17:01:42.650+0000 ERROR : loggerName
dsfsdfsd
f
dsffsd
f

log3.log
2017-01-09T16:31:17.185+0000 ERROR : loggerName=abcxvxvvvk@7ba88ff5[state=SUCCESS,message=Extract Generation Completed Successfully.]
com....retry.RetryException: Retrying failed to

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What do you want the output to be?

Your sample query need more quotation marks: "ERROR" OR "Exception" | rex ".*?(?<exception>(?:\w+\.)+\w*?Exception).*" | stats count by exception

---
If this reply helps you, Karma would be appreciated.
0 Karma

jw44250
New Member

just splunk command above splunk cmd

in the result at splunk tool -- the below result is not count at all

2017-01-09T18:15:08.036+0000 ERROR : loggerName="c.a.i.a.a.w.r.s.AbstractExceptionMapper" threadName="qtp13434343" txnId="9386317e-be2erererc" Uncaught exception: null
java.nio.BufferUnderflowException: null
at java.nio.Buffer.nextGetIndex(Buffer.java:506)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That looks like an event (the input to a Splunk query) rather than the result of a Splunk query.
Also, the event in log2.log does not contain the text "Exception" so it won't be counted.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...