Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does subsearch throw an exception?

mperrenoud
Engager
‎09-14-2017 04:56 AM

I'm trying to produce a subsearch based off of a rex field. The goal of this search is to find every Deserialization Successful log where the MessageSequence is in the subsearch list of errors. The ultimate goal there is to identify if it's the same record failing over and over.

However, the following search results in this error:

Error in 'fields' command: Invalid argument: 'seq=23080948093779922'

index="b2brtr_prod_main" sourcetype=applog "Deserialization Successful" |
    rex "MessageSequence:\s+(?<seq>\d+)" | fields _raw, seq
[search index="b2brtr_prod_main" sourcetype=applog "B2B_EXCEPTION_PROCESSMESSAGE" |
    rex "MessageSequence:\s+(?<seq>\d+)" | fields + seq]

An example B2B_EXCEPTION_PROCESMESSAGE log might be something like this:

2017-09-14 07:23:20,453-04:00 thread=12 logLevel=ERROR component=... message=... : B2B_EXCEPTION_PROCESSMESSAGE - MessageSequence: 68116944367487730 MessageException: System.AggregateException: One or more errors occurred. ---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) ...
---> (Inner Exception #0) System.Threading.Tasks.TaskCanceledException: A task was canceled.<---
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎09-14-2017 06:22 AM

Updated - No, that subsearch, if it works, is going to return a lot of nonsense. You don't have anything specifically joining it to the prior part. Once we saw that, it made more sense to refactor the whole thing.

Try this way...

 index="b2brtr_prod_main" sourcetype=applog ("Deserialization Successful" OR "B2B_EXCEPTION_PROCESSMESSAGE")
 | fields _raw
 | rex "MessageSequence:\s+(?<seq>\d+)" 
 | rename COMMENT as "the above gets all the messages of both types and extracts the seq."

 | rename COMMENT as "Now we extract the message and shorten it to 3 digits (DES or B2B)"
 | rex "(?i)(?<rectype>Deserialization Successful|B2B_EXCEPTION_PROCESSMESSAGE)"
 | eval rectype=upper(substr(rectype,1,3))

 | rename COMMENT as "count up how many of each, use xyseries to assign count to 3-digit message name"
 | stats count by seq rectype
 | xyseries seq rectype count

 | rename COMMENT as "Get rid of any records that don't have both."
 | where B2B > 0 and DES > 0

You can change the tests in the last line to whatever number you want.

Hmmm. It's complaining about one particular seq value, and it is numeric, and not surrounded by quotes.

try this... 

index="b2brtr_prod_main" sourcetype=applog "B2B_EXCEPTION_PROCESSMESSAGE" 
| rex "MessageSequence:\s+(?<seq>\d+)" 
| eval seq=tostring(seq)
| where like(seq,"230809%")
| table seq
| format

Make sure the output seq= is surrounded by quotes.

If so, then do this...

Updated to work, but use the above anyway - 

 index="b2brtr_prod_main" sourcetype=applog "Deserialization Successful" 
| rex "MessageSequence:\s+(?<seq>\d+)" 
| fields _raw, seq
| eval seq=tostring(seq) 
| join seq 
    [ search index="b2brtr_prod_main" sourcetype=applog "B2B_EXCEPTION_PROCESSMESSAGE" 
    | rex "MessageSequence:\s+(?<seq>\d+)" 
    | eval seq=tostring(seq) 
    | table seq ]

View solution in original post

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-14-2017 06:31 PM

Hey @mperrenoud, If DalJeanis solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
SplunkTrust
SplunkTrust
‎09-14-2017 06:22 AM

Updated - No, that subsearch, if it works, is going to return a lot of nonsense. You don't have anything specifically joining it to the prior part. Once we saw that, it made more sense to refactor the whole thing.

Try this way...

 index="b2brtr_prod_main" sourcetype=applog ("Deserialization Successful" OR "B2B_EXCEPTION_PROCESSMESSAGE")
 | fields _raw
 | rex "MessageSequence:\s+(?<seq>\d+)" 
 | rename COMMENT as "the above gets all the messages of both types and extracts the seq."

 | rename COMMENT as "Now we extract the message and shorten it to 3 digits (DES or B2B)"
 | rex "(?i)(?<rectype>Deserialization Successful|B2B_EXCEPTION_PROCESSMESSAGE)"
 | eval rectype=upper(substr(rectype,1,3))

 | rename COMMENT as "count up how many of each, use xyseries to assign count to 3-digit message name"
 | stats count by seq rectype
 | xyseries seq rectype count

 | rename COMMENT as "Get rid of any records that don't have both."
 | where B2B > 0 and DES > 0

You can change the tests in the last line to whatever number you want.

Hmmm. It's complaining about one particular seq value, and it is numeric, and not surrounded by quotes.

try this... 

index="b2brtr_prod_main" sourcetype=applog "B2B_EXCEPTION_PROCESSMESSAGE" 
| rex "MessageSequence:\s+(?<seq>\d+)" 
| eval seq=tostring(seq)
| where like(seq,"230809%")
| table seq
| format

Make sure the output seq= is surrounded by quotes.

If so, then do this...

Updated to work, but use the above anyway - 

 index="b2brtr_prod_main" sourcetype=applog "Deserialization Successful" 
| rex "MessageSequence:\s+(?<seq>\d+)" 
| fields _raw, seq
| eval seq=tostring(seq) 
| join seq 
    [ search index="b2brtr_prod_main" sourcetype=applog "B2B_EXCEPTION_PROCESSMESSAGE" 
    | rex "MessageSequence:\s+(?<seq>\d+)" 
    | eval seq=tostring(seq) 
    | table seq ]
Reply
Solved! Jump to solution

mperrenoud
Engager
‎09-15-2017 08:14 AM

I can see I've quite a bit of work to get to this point with my Splunk queries. Thanks so much for your help!

Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎09-15-2017 02:28 PM

@mperrenoud - there are other ways to do it, that might be easier to read at your level. None of these are particularly more efficient than each other, so take your pick. The rule here is, use whatever method you will understand when you come back to modify it later.

  | rename COMMENT as "count up how many of each, assign count to 3-digit message name"
  | stats count by seq rectype
  | eval B2B=if(rectype="B2B",count,0)
  | eval DES=if(rectype="DES",count,0)

  | rename COMMENT as "stats B2B and DES values onto a seq record, then get rid of any records that dont have both."
  | stats sum(B2B) as B2B sum(DES) as DES by seq
  | where B2B > 0 and DES > 0

  | rename COMMENT as "count up how many of each, assign count to 3-digit message name"
  | stats count by seq rectype
  | eval {rectype} = count

  | rename COMMENT as "get rid of rectype field, stats B2B and DES values onto a seq record, and then get rid of any records that dont have both."
  | fields - rectype
  | stats values(*) as * by seq
  | where B2B > 0 and DES > 0
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...