Splunk Search

How to edit my search to find error code counts from my XML data?

x05311
Explorer

alt text

Splunk code to find Error description :

index="inputfile" | rex "^(?P<reasoncode>[^\t]*)" | rex max_match=0 "<messageString>(?<reasoncode>[^\\<\"]*)" | eval reason_sub_code=substr(reasoncode,1,7)|stats count by reasoncode   

---------- Results as Expected : Working as EXPECTED-----------

reasoncode      "   count"
DPR-ERR-2070 the service monitorService did not stop within a reasonable amount of time 2
DPR-DPR-1026 Unable to register the dispatcher in Content Manager.  2
DPR-DPR-2002 Unable to find     2

Splunk code to find Error code counts only:

index="inputfile" | rex "^(?P<reasoncode>[^\t]*)" | rex max_match=0 "<messageString>(?<reasoncode>[^\\<\"]*)" | eval reason_sub_code=substr(reasoncode,1,12)|stats count by reason_sub_code     

----Actual Output: NOT Working as EXPECTED--------------

reasoncode      "   count"
DPR-ERR-2070    2       

Expected Output:

reasoncode      "   count"
DPR-ERR-2070    2
DPR-DPR-1026    2
DPR-DPR-2002    2
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 index="inputfile"  | rex max_match=0 "\<messageString\>(?<reason_sub_code>\S+)" |stats count by reason_sub_code   
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...