When I use timechart, I get a visual. When I use ...

zeroCalm · ‎09-19-2017

Hello,

I am using the following search:

index="ips_snaplogic""postsales" lvl="ERROR"| spath| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| timechart count BY msg

THis is the JSON I am trying to drill into, and grab the error message that I am trying to divide the chart by.

//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{  
   "Service":"Enterprise Sales",
   "Date":"09/19/2017 08:44:41.466",
   "Environment":"XXX",
   "Debug":"Error",
   "Source":"PostSalesIntegration",
   "Description":"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request",
   "Message_Unique_Id":null,
   "Message_qualifier":null,
   "JMSMessageID":null,
   "Detail":{  
      "error":{  
         "message":"Failed to execute HTTP request",
         "reason":"Read timed out",
         "resolution":"Please check the Snap properties."
      }

When I use timechart, I get a visual. When I use chart, no results. Any idea why?

Thanks

somesoni2 · ‎09-19-2017

What's your query with chart command? What is the expected visualization with chart command?

zeroCalm · ‎09-19-2017

I have updated my original question.

somesoni2 · ‎09-19-2017

Could you also post the query that you use with chart command? Do you select pie visualization for both?

gcusello · ‎09-19-2017

Hi zeroCalm,
what options do you use in chart command ?
Bye.
Giuseppe

zeroCalm · ‎09-19-2017

Options? I don't believe I understand the question. The original question shows my entire search string.

gcusello · ‎09-19-2017

did you tried something like this using chart instead timechart?

index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| bin _time span=1h 
| chart count over _time BY msg

Bye.
Giuseppe

zeroCalm · ‎09-19-2017

Now I am getting a chart, but the error message isnt showing.

Here is a screenshot.

https://imgur.com/a/NZTJC

Thanks again.

gcusello · ‎09-19-2017

revie the message field extraction
Bye.
Giuseppe

s2_splunk · ‎09-19-2017

This | spath output=msg path=Detail.error.message.message should be replaced with this | spath output=msg path=Detail.error.message

gcusello · ‎09-20-2017

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

DalJeanis · ‎09-19-2017

Try this and see what happens...

index="ips_snaplogic""postsales" lvl="ERROR"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message
| bin _time span=1h 
| chart count BY msg _time

Updated to eliminate extra ".message"

zeroCalm · ‎09-19-2017

Thanks for the response, I am having the same results though.

DalJeanis · ‎09-19-2017

@zerocalm - try again. There was an extra .message in the code, probably inserted somehow when you changed timechart to chart.

|makeresults 
| eval _raw="//XXX/projects/Sales_PostSales_processPostSaleOrder_VIP_CCT:{  
    \"Service\":\"Enterprise Sales\",
    \"Date\":\"09/19/2017 08:44:41.466\",
    \"Environment\":\"XXX\",
    \"Debug\":\"Error\",
    \"Source\":\"PostSalesIntegration\",
    \"Description\":\"Error::processPostSaleOrder_VIP_CCT. Error occurred while trying to process the message. Failed to execute HTTP request\",
    \"Message_Unique_Id\":null,
    \"Message_qualifier\":null,
    \"JMSMessageID\":null,
    \"Detail\":{  
       \"error\":{  
          \"message\":\"Failed to execute HTTP request\",
          \"reason\":\"Read timed out\",
          \"resolution\":\"Please check the Snap properties.\"
       }"
| spath
| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message

zeroCalm · ‎09-19-2017

Thanks, I removed the extra .message, and I am still getting the same results.

Screenshot:

https://imgur.com/PQA6itN

When I use timechart, I get a visual. When I use chart, no results. Any idea why?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes