Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to prepare table of exceptions and its count occurred in last 2 days

bipin_tiwari
New Member
‎01-28-2019 08:46 PM

Hi ,
Since very long time I am struggling to display a table of list of all exception raised by my application in last few days (as specified) .

I referred several Splunk answers on this subject but it didn't prove to be helpful. I will be very grateful if Splunk support team can help me in achieving my objective . I also wish to tell that when I perform search I find many fields like host, source , sourcetype , date_minute, date_month, date_mday , date_zone but I dont see the field exception or error however exceptions occurred and recorded in Splunk in given period of time. Is there anything going wrong which is why searchhead not extracting exception or error fields from events . Please assist with detailed explanation and splunk query.

I want output in following format
Exception Today Yesterday 27 Jan 26 Jan
NullPointer 100 80 89 39
ArrayIndexOutOfBound 8 7 0 0
InvalidCartException 0 0 40 7
AuthenticationFailed 5 5 5 2

I am also fine if table is displayed in following format . where day1 is today , day2 is yesterday , day3 is day before yesterday and so on.

Exception day1 day2 day3 day4
NullPointer 100 80 89 39
ArrayIndexOutOfBound 8 7 0 0
InvalidCartException 0 0 40 7
AuthenticationFailed 5 5 5 2

After displaying above table in Statistics tab I want to draw the Pie chart for this table in Visualization tab.

Thanks
Bipin

Tags (2)
0 Karma
Reply

renjith_nair
Legend
‎01-28-2019 10:06 PM

@bipin_tiwari ,

Below search should give you the expected outout if the Exception field is available. You may adjust the earliest value according to your requirement.

"your base search" earliest=-4d@d |eval date=strftime(_time,"%Y-%m-%d")|chart count over Exception  by date

If the field exception is not extracted by default, please provide some sample logs(anonymize confidential data)

Happy Splunking!
0 Karma
Reply

bipin_tiwari
New Member
‎01-28-2019 11:54 PM

Hi @renjith.nair

Search is working and returning more than 1.5 lakh events but expected outcome (table and chart) still not coming .
Following are some logs extracted from source came in search result. here UnknownIdentifierException exception is raised again and again so I do expect that this exception should come in table under Statistics tab but its Statistics tab is showing no result however Events tab is having more than 1.5 lakh event .

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190100

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190100
INFO | jvm 1 | main | 2019/01/29 14:28:58.379 | 2019-01-29 14:28:58.351ERROR [hybrisHTTP9] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190100

[de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190363
INFO | jvm 1 | main | 2019/01/29 14:29:03.694 | 2019-01-29 14:29:03.614ERROR [hybrisHTTP29] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190363

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190373
INFO | jvm 1 | main | 2019/01/29 14:29:04.499 | 2019-01-29 14:29:04.470ERROR [hybrisHTTP76] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190373

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190398
INFO | jvm 1 | main | 2019/01/29 14:29:06.206 | 2019-01-29 14:29:06.171ERROR [hybrisHTTP121] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190398

0 Karma
Reply

renjith_nair
Legend
‎01-29-2019 07:13 AM

@bipin_tiwari , do you have the Exception field extracted? Try and see if you get any result in statistics

index="your index" |stats count by Exception
Happy Splunking!
0 Karma
Reply

bipin_tiwari
New Member
‎01-29-2019 11:15 PM

@renjith.nair , index="hbr-itv" |stats count by Exception , didn't return any result . however in in Events tab I can see millions of events.

0 Karma
Reply

renjith_nair
Legend
‎01-30-2019 05:30 AM

Thats probably because, you dont have the field name Exception in your events. Try extracting this field and do the stats.

For e.g.

index="hbr-itv" |rex field=_raw "exceptions\.(?<Exception>\w+)"|stats count by Exception

If the above gives you stats tab, then try

  index="hbr-itv" |rex field=_raw "exceptions\.(?<Exception>\w+)"
  |eval date=strftime(_time,"%Y-%m-%d")|chart count over Exception  by date
Happy Splunking!
0 Karma
Reply

bipin_tiwari
New Member
‎01-29-2019 11:58 PM

@renjith.nair , is there any way and to have a direct call and discuss the issue .

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...