I have the following Splunk base search:
sourcetype=serverA FATAL OR ERROR OR WARN | rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)" | rex field=_raw "] (?<error_location>.*?) " | rex field=_raw "\) (?<description>.*)"
I then pipe this result to | eventstats count by error_type
to get individual counts of each error type. Finally, I also want to return a set of description
for each of the three error_types, whose number of results is reliant on the count for each error_type. For example, if the count of WARN
is greater than 5, then it would only grab the first 5 descriptions. If the count is less, it would show them all.
I'm trying a syntax like this with no luck so far:
sourcetype=GRServerPROD_B FATAL OR ERROR OR WARN | rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)" | rex field=_raw "] (?<error_location>.*?) " | rex field=_raw "\) (?<description>.*)"| eventstats count by error_type | eval description_set=if(count>5, <return top 5 descriptions>, <return all descriptions>) | stats values(description_set) as descriptions, values(count) as count by error_type
I also tried running sub-searches using map
but this seemed pretty lengthy.
Hi samsam48,
I cannot test your search but I had a problem like your, so you have to try something like this:
sourcetype=GRServerPROD_B FATAL OR ERROR OR WARN
| rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)"
| rex field=_raw "] (?<error_location>.*?) "
| rex field=_raw "\) (?<description>.*)"
| stats values(description) AS description dc(description) AS different_descriptions count by error_type
| eval description=if(different_descriptions>5,"There are "+different_descriptions+" description",description)
If you want to have all the description on the same row, add at the end of your search | nomv description
In addition I suggest to use index parameter to have more performant searches.
Bye.
Giuseppe
Hi cusello,
This query doesn't narrow down the results of description
though, if I'm not mistaken? If count
for one value of error_type
was over 5, then I'd only want 5 descriptions
from that given value of error_type
. For example, if error_type
= WARN
, and there were 1000 warnings, then I'd want the final chart to hold only 5 descriptions (it's too much to show all 1000 in an email). However, if error_type
=FATAL
and there were 2 fatals, then I'd want the final chart to hold those two fatal event's descriptions.
Please let me know if I can clarify further. Thanks.
Hi samsam48,
In this way you don't know if you have 5 descriptions or more, because in both the situation you have 5 description!
Anyway, try something like this:
sourcetype=GRServerPROD_B FATAL OR ERROR OR WARN
| rex field=_raw max_match=1 "(?<error_type>WARN|ERROR|FATAL)"
| rex field=_raw "] (?<error_location>.*?) "
| rex field=_raw "\) (?<description>.*)"
| stats values(description) AS description count by error_type
| eval description=mvindex(description, 0, 4)
Bye.
Giuseppe
Hi Giuseppe,
Last thing- how would I go about including the counts and set of 5 descriptions in the alert body? It doesn't look like the counts are "named" so I haven't been able to use the $results.fieldName$ syntax in the email body. Is there also an approach to include all 5 descriptions for each error_type
in the body as well?
Hi samsam48,
I usually don't insert data in the eMail body to have a more general eMail and to avoid problems with fields.
I usually attach a file (csv or pdf) with the results or I enable the link to results (if the receiver is enabled to use Splunk).
Bye.
Giuseppe