Solved: How to view my error name in where clause?

karthi2809 · ‎01-31-2018

Now i am getting only count i need error messages and host

index=test "java.nio.channels.ClosedChannelException" |stats count |where count > 10

mayurr98 · ‎01-31-2018

You can do that if you have a field in which error_message is already extracted. If it is not, then you have to manually extract it and then build a search query. If you can give me a sample event and tell what is the error message that you want to show then I can build a search query for you.

If the error message is specific i.e. java.nio.channels.ClosedChannelException

index=test "java.nio.channels.ClosedChannelException" 
| stats count by host 
| where count>10 
| eval error_message="java.nio.channels.ClosedChannelException"

let me know if this helps!

View solution in original post

mayurr98 · ‎01-31-2018

You can do that if you have a field in which error_message is already extracted. If it is not, then you have to manually extract it and then build a search query. If you can give me a sample event and tell what is the error message that you want to show then I can build a search query for you.

If the error message is specific i.e. java.nio.channels.ClosedChannelException

index=test "java.nio.channels.ClosedChannelException" 
| stats count by host 
| where count>10 
| eval error_message="java.nio.channels.ClosedChannelException"

let me know if this helps!

493669 · ‎01-31-2018

Try this:

index=test "java.nio.channels.ClosedChannelException" |stats count by error_messages, host|where count > 10

How to view my error name in where clause?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms