New Errors that did not exist last week

subtrakt · ‎09-02-2012

Say I did a bunch of changes over the weekend and wanted to see a list of any new errors.

Is there a way I can show only new errors that didn't exist from last week that are probably caused from my change?

Thanks

tcottreau · ‎08-28-2017

This query doesn't seem to be working for me.

I use a version of your query that looks like this and I'm using it in a form where I feed data/time fields to the earliest and latest:
index=my_index error OR failed OR severe NOT "on-error" earliest=$field1.earliest$ latest=$field1.latest$
| rex "[(?<error_type>0x8[\w\d]+)]"
| stats count AS lasthour by error_type
| appendcols [ search index=my_index error OR failed OR severe NOT "on-error" earliest=$field2.earliest$ latest=$field2.latest$
| rex "[(?<error_type>0x8[\w\d]+)]" | stats count AS prevhour by error_type ]
| eval prevhour=if(isnull(prevhour),0,prevhour)
|eval lasthour=if(isnull(lasthour),0,lasthour)
| table error_type prevhour lasthour

| where prevhour=0

I need the regular expression to create the error_type. It is very consistent and I am sure I get 100% coverage of all errors when I do this across all time.

I picked a period where I saw a spike in errors and compared it to a one-hour period exactly one week previous (this makes it much quicker).

The thing is, I take items from the list and query the one-hour period from a week earlier and I get hits. Probably half the errors I get in this report have non-zero results in the previous hour.

Suggestions would be welcome.

yannK · ‎09-02-2012

First, extract the error keywords as a field.
You can use 2 searches with different time range, combine the results with appendcols. And then add some logic to keep only the new errors.

example



search1 earliest=-1w@w latest=now | stats count AS thisweek by errorfield


| appencols [ 

search1 earliest=-2w@w latest=-1w@w | stats count AS lastweek by errorfield 

] 

| eval lastweek=if(isnull(lastweek),0,lastweek) | eval thisweek=if(isnull(thisweek),0,thisweek)


| table errorfield lastweek thisweek 

| where lastweek=0

subtrakt · ‎09-03-2012

Sorry, new to splunk.

If i wanted to search all the messages w/ 'critical' that exist now but did not exist last week. Can you give me an example on how that would be done? What's the best way to extract a keyword? My guess is, search the word, then click the drop down by the message, and 'extract fields'. Then what? Many Thanks.

tcottreau · ‎09-25-2017

After quite a lot of playing around, I am unsure what use "appendcols" actually is.

The only way this will work is if every single entry in both tables are identical, which is exactly NOT the reason you want to use this.

The results I've seen so far are:

stats1 (today):
X, 1
Y, 2

stats2 (yesterday):

A, 5
B, 3
C,9

appencols produces the following
error, today, yesterday
X, 1, 5
Y, 2, 3
C,,9

which is actually pretty useless. Now, I have yesterday's count of 5 against X, rather than against A where it should be.

I don't quite understand what "appendcols" is good for except putting counts against the wrong fields. It's a bit confusing.

The worst case is that if you have items in a different order, you will get some results against the correct field and some not, just depending on the order they are in.

tcottreau · ‎08-28-2017

Subtrakt, I know this is a bit late.

In this, you need a unique error field of some kind to do this. Without it, you would have to match on some unique text in the error.

If you look at my example below, I use a rex field to create a unique field, although, I'm not sure if it's working correctly.

You just have to add the word "critical" to search1 and search2 in the example, depending on the wording of the search.

New Errors that did not exist last week

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms