How to create a timechart of unique error messages...

vineetc · ‎10-06-2015

I am planning to plot Unique error messages by a service with time, but don't know how to grab unique value. I can map the unique error message by time , but the point is to plot them by service and then time on the x-axis.

I believe it can be done by the table command, but how do I use table with a unique value of error by service.

Gives Timechart by error message:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | timechart count by error_msg

Gives Timechart by service:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | timechart count by service

I want to plot by time which should show error msg by service, but this doesn't work:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | stats dc(error_msg) by service

I want the service names in the legend, showing the count and description of unique error when I hover the mouse on the line chart.

woodcock · ‎10-07-2015

This probably isn't perfectly suitable for you but I believe it will meet your needs:

host="abc.com" NOT Latency | rex "\[error\][^\(]+\((?<service>[^\)]+).+trans\((\d+){8}\)\[\b(?:\d{1,3}\.){3}\d{1,3}\b\]\:\s+(?<error_msg>.+)" | eval error_by_service = service . ":" . error_msg | timechart count by error_by_service

woodcock · ‎11-04-2015

Did this work?

How to create a timechart of unique error messages by service with the error message and count on the line chart?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...