Splunk Search

How to get the list of unique exceptions which are occurring only today but not in the past?

guru89044
Explorer

I am trying this command but looks like its displaying all the exceptions. please let me know how to get the exceptions which are occurring only today but not earlier in splunk

(index=x AND (host=y) AND "java.exception" AND earliest=-1d@d latest=now NOT [ | search (index=x) AND (host=y) AND "java.exception" AND earliest=-15d@d latest=-2d@d | rex "(?java?.[.\w]+Exception)" | stats count by Exception | sort by count ] | rex "(?java?.[.\w]+Exception)" | stats count by Exception | sort by count

| set diff query is also not working.

0 Karma
1 Solution

elliotproebstel
Champion

I think maybe some of the code is getting chomped in your post. I'll assume you are able to successfully execute a straightforward search that extracts the field Exception and conclude with | stats count by Exception | sort 0 - count. If that's not true, then please try reposting your code by first clicking the 101010 code button and then entering the code in the modal window.

I'm going to re-state the goal, because I think there is a more straightforward approach to what you want to do. If I understand correctly, you want to list all Exception codes whose first appearance in the last 15 days was today. That can be done in a single search with no subsearches:

index=x host=y "java.exception" earliest=-15d@d latest=now 
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| where first_time>=relative_time(now(), "@d")
| sort 0 - first_time
| convert ctime(first_time)

The last line just makes the timestamp in the first_time field display in human readable format; you won't need it if you plan to use the value in further comparisons or calculations.

View solution in original post

elliotproebstel
Champion

I think maybe some of the code is getting chomped in your post. I'll assume you are able to successfully execute a straightforward search that extracts the field Exception and conclude with | stats count by Exception | sort 0 - count. If that's not true, then please try reposting your code by first clicking the 101010 code button and then entering the code in the modal window.

I'm going to re-state the goal, because I think there is a more straightforward approach to what you want to do. If I understand correctly, you want to list all Exception codes whose first appearance in the last 15 days was today. That can be done in a single search with no subsearches:

index=x host=y "java.exception" earliest=-15d@d latest=now 
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| where first_time>=relative_time(now(), "@d")
| sort 0 - first_time
| convert ctime(first_time)

The last line just makes the timestamp in the first_time field display in human readable format; you won't need it if you plan to use the value in further comparisons or calculations.

guru89044
Explorer

@elliotproebstel Thank you. my end goal is to compare between 2 time durations.

  1. find no. of exceptions from 1st Feb 1 to 10th Feb.
  2. find the no. of exceptions from 11th Feb to 15th Feb.
  3. I want only unique exceptions from 11th Feb to 15th Feb which did not occur during 1st Feb 1 to 10th Feb along with count(No. Of. of times new exception occured).

Please let me know how to compare with 2 time durations

0 Karma

elliotproebstel
Champion

Sure, that's actually just a slight variation on the answer above. In the first answer, we gathered all events over 15 days and identified Exceptions that were first seen today. In this new challenge, we'll gather all events that occurred 1 Feb - 15 Feb and identify Exceptions that were first seen after 10 Feb. Exact same search structure, just different dates!

With your timepicker for the search, select 1 Feb as the start date and 15 Feb as the end date. We want Splunk to gather events from the overall time window, and then we'll analyze those.

index=x host=y "java.exception"
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| eval window_start=strptime("2018-02-11", "%F")
| where first_time>=window_start
| stats count by Exception
0 Karma

guru89044
Explorer

@elliotproebstel Thank you very much. Now i can play with dates. Can you please explain me the rex "(?java?.[.\w]+Exception)"?

Its listing all the exceptions but when continues exceptions are present in the logs like below, looks like Its considering only first exception and ignoring other 2. So its listing the exceptions which are not unique also.

Example : its listing java.util.concurrent.ExecutionException: as unique even though it occured before like this log.

logs : (java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: org.xyz....)

0 Karma

493669
Super Champion

try earliest=-0d@d instead of earliest=-1d@d

0 Karma

guru89044
Explorer

yeah but that's not solution.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...