- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- find # of exceptions/errors for a given sourcetype
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a table (and then a report) of all exceptions/errors that occur for a given sourcetype.
The primary problem (i suspect) is that I am not doing a count on a given field. The reason for this is that there is nothing common to extract that I can see so far because there are no key-value pairs when it comes to errors/exceptions.
My query looks like:
eventtype="all_web" (error OR exception) | chart count(events) as eventsBySourceTypeCnt by sourcetype | table sourcetype eventsBySourceTypeCnt
I didn't think counting on "events" was going to work, but I had to start somewhere.
Some of the data returned would by just the first portion of the query would be:
- commitCloseConnection - [18 Nov 2010 16:49:16,434] - ERROR [Default : 1617] PolarisDAO.java:190) - A java.lang.NullPointerException occurred - no detail available.
- [11/18/10 16:49:22:214 CST] 0000237b SystemErr R java.io.FileNotFoundException: /favicon.ico
Any ideas what I can do here to count just the events? It would be nice to know how many NullPointerExceptions, Errors, or FileNotFoundExceptions there are per sourcetype, but I don't think I'm to that point yet.
Thanks, Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is the goal to get a table containing each sourcetype and the number of error events?
eventtype="all_web" (error OR exception) | stats count by sourcetype
If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:
In eventtypes.conf (or configure via the manager):
[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException
[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException
Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:
eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is the goal to get a table containing each sourcetype and the number of error events?
eventtype="all_web" (error OR exception) | stats count by sourcetype
If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:
In eventtypes.conf (or configure via the manager):
[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException
[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException
Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:
eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
