- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to make pattern of error events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to make pattern of error events?
Hello,
I want create a pattern for similar error message without discarding all the events..
Let's say, I have events like:
error occurred from ui correlationId; abcd1234
error occurred from ui correlationId; abcd2345
error occurred from ui correlationId; abcd4536
error occurred from ui correlationId; abcd6475
Like that it has 100 errors, when I'm trying to count it shows 100 different errors but in this case it is just single error..
Here i want to do like
1. error occurred from ui correlationId; xxxx-yyyy capture remaining message
2. Count the total similar events as a single error
3. Any better solution to capture different errors to take the action immediately it will be very useful in our production...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract single error using rex command:
| rex field=_raw "(?<single_error>[^\d]+)"
Sample query:
| makeresults | eval _raw="error occurred from ui correlationId; abcd1234" | append [ | makeresults | eval _raw="error occurred from ui correlationId; abcd2345" ] | rex field=_raw "(?<single_error>[^\d]+)" | stats count by single_error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The idea is good, it just stoping at numeric...
Diana was I need to capture all the events by excluding some particular IP address correlation adress loan number or something like that but the total count should be same like eyes explain above..
error occurred from ui correlationId; DGHVBJJ243FHG error from the lander price.in
error occurred from ui correlationId; FHGJGBJJ13FGJ error from the lander price.in
error occurred from ui correlationId; DGGJF24HJBG error from the lander price.in
Here while calculating, it should show count as 3 as a single event..
But when i use table to see entire log message, it should show entire message. so that i can take an action on the particular event based on its correlation ID IP address or or something...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, you can extract interested parts of the logs as chunks and then count by those chunks. Here I am excluding value of correlationId and getting other part of of logs in 2 fields and counting by those 2 two fields. If you want to preserve events then use eventstats in place of stats.
| makeresults | eval _raw="error occurred from ui correlationId; DGHVBJJ243FHG error from the lander price.in" | append [ | makeresults | eval _raw="error occurred from ui correlationId; FHGJGBJJ13FGJ error from the lander price.in" ] | append [ | makeresults | eval _raw="error occurred from ui correlationId; DGGJF24HJBG error from the lander price.in"] | rex field=_raw "(?<event_part1>.*);\s[A-Z0-9]+\s(?<event_part2>.*)" | eventstats count by event_part1, event_part2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Idea is good, but need to use stats/eventstats, for every error pattrr...
I'm just trying to make it for all the global errors...
Thinking to use some commands, LIKE, Case, substr, replace
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
