All my application logs are 'indexed' as 'customer'_application. The below shows all my Events just fine
index = *_application sourcetype = * source = * host = *
The below shows all my errors/Errors in all the Events just fine
index = *_application sourcetype = * source = * host = * error
I know that error is not a field and it must be extracted first . Unfortunately I haven't succeeded with that.
Please note that all the different application-logs are not constructed (build) in the same way. The below gives me basically the desired setup, except that the 'error' message itself is missing.
index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source
Is it even possible to achieve this or is certain log pattern (structure) a must. If this would be possible, how?
Hi edwinmae,
I think that It is normal that the error message is missing ,because your results (index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source
) displayed in the form of table. you can click on Events
tab to review
error
in events.
Assure you that you are in Verbose mode before run your search query.
So no problem! Your result matches the events that contain the error
message.
Note: Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .
Link for tag concept:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags
First of all --- Thanks for your quick response
The below gives me the desired output, except for the message itself
index=_application sourcetype= source=* host=* Error | top limit=20 host sourcetype source
I am able to see the log 'messages/events' (with Error) by clicking on the 'log-file (links)' listed under sourcetype (after the search), but I would like to have have an additional column like 'message' that shows me (only) the errors that occured most.
index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source message
I know there is no field like message; I tried to get the errors listed with rex but was unsuccessful to achieve this.
Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .
In this case, you will give message like the name of your tag
This is because you search through many application-logs.
Follow link to have information about tag:
http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags