Splunk Search

How to find difference between errors by server based on time?

aohls
Contributor

I am attempting to do the following, I want to look at one system, a test system, for the last few months and compare the errors in that system with the errors in the current active environment. I am able to get the errors but I am not sure how to get results separated based on the environment they belong to; we have datasets established so using that will be ideal.

I believe I might also need to have a likeness evaluation, if the error is similar to an existing error. We include information that can change but the error can be the same, 'Error is caused by 123' and 'Error is caused by 321'. Essentially I want to find errors in our test system that the production system is not seeing, but I do need to account for the fact that we have objects included int he errors, so the numbers thrown with the error need to be ignored.

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

There are a bunch of pieces here. I'm going to assume that you can get your two sets of data together onto the same system.

Next, it might be instructive to just search for the errors and look at the patterns tab.

Then, assuming you know where the numbers should be, then you could use a regular expression to scrub out the numbers, stats up a count by error, and compare the two summary data sets afterwards.

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

There are a bunch of pieces here. I'm going to assume that you can get your two sets of data together onto the same system.

Next, it might be instructive to just search for the errors and look at the patterns tab.

Then, assuming you know where the numbers should be, then you could use a regular expression to scrub out the numbers, stats up a count by error, and compare the two summary data sets afterwards.

0 Karma

aohls
Contributor

I broadened my search and used the patterns tab as you mentioned. This looks to be a good start for where I am trying to get. Thanks.

DalJeanis
SplunkTrust
SplunkTrust

Great. If you have a more specific question about how to make comparisons, then please post another question with sample data, and we can help you figure it out.

0 Karma

aohls
Contributor

Thanks DalJeanis. From how you broke up the issue, my biggest hurdle is how to get the data in a way I can compare it. Would using a dataset be a good tool in this case? I have everything I need really, I am just not sure what the best way to go about actually doing the analysis; I have the errors and can account for the numbers at this time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...