Getting 5-10 logs file and there could be error, exceptions, root cause may appear all at once, or only error or exceptions
This is the Splunk command used but not getting the properly results
"ERROR" OR Exception | rex ".*?(?(?:\w+\.)+\w*?Exception).*"
| stats count by exception
Hi jw4425,
Your rex syntax seems incorrect. A field name should be provided to which to assign the captured group, something like this:
... | rex ".*(?<new_field_name>+\w*?Exception).*"
For details, see http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex.
Hope this helps. Thanks!
Hunter
Please share some sample data along with the expected results.
log1.log
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: No task status found for ID:
2017-01-09T17:14:41.708+0000 ERROR : loggerName="test1" threadName="2121212" Uncaught exception: null
java.nio.BufferUnderflowException: null
at java.nio.Buffer.nextGetIndex(Buffer.java:506)
at java.nio.HeapByteBuffer.getLong(HeapByteBuffer.java:412)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: No task status found for ID
log2.log
017-01-09T17:01:42.650+0000 ERROR : loggerName
dsfsdfsd
f
dsffsd
f
log3.log
2017-01-09T16:31:17.185+0000 ERROR : loggerName=abcxvxvvvk@7ba88ff5[state=SUCCESS,message=Extract Generation Completed Successfully.]
com....retry.RetryException: Retrying failed to
What do you want the output to be?
Your sample query need more quotation marks: "ERROR" OR "Exception" | rex ".*?(?<exception>(?:\w+\.)+\w*?Exception).*" | stats count by exception
just splunk command above splunk cmd
in the result at splunk tool -- the below result is not count at all
2017-01-09T18:15:08.036+0000 ERROR : loggerName="c.a.i.a.a.w.r.s.AbstractExceptionMapper" threadName="qtp13434343" txnId="9386317e-be2erererc" Uncaught exception: null
java.nio.BufferUnderflowException: null
at java.nio.Buffer.nextGetIndex(Buffer.java:506)
That looks like an event (the input to a Splunk query) rather than the result of a Splunk query.
Also, the event in log2.log does not contain the text "Exception" so it won't be counted.