Hi,
My Log file has lot of error codes like ABC-12, ABC-15, ABC-28, ABC-43.... etc., Those errors may be duplicated. I have eliminated the duplicate with DEDUP as below.
In case of some transaction, occurrence on any DB error (which is ABC-15) in turn returns ABC-28 as per existing code behavior. So, whenever ABC-15 will occur ABC-28 is also getting printed in the logs. Hence we are getting wrong counts in Splunk for ABC-28. This deviation has to be corrected by ABC-28=(ABC-15 counts - ABC-28) OR ABC-28=(ABC-28 – ABC-15)(whichever is greater).
So the difference between the number of error code ABC-15 & ABC-28 will be the final value count for error code ABC-28
The below search query gives me the Error code counts for all the error codes except ABC-15 in pie chart. but the value of ABC-28 should have only the difference. how to get that?
source=my_app_log_prod_node* | rex field=_raw "(? (ajp-\d+.\d+.\d+.\d+-\d+-\d+))\sFinal\sDB\sErrorCode:(? \w+-\d+)" | dedup Transaction_ID Final_DB_Errorcode| search Final_DB_Errorcode!=ABC-15 | stats count by Final_DB_Errorcode | eval Final_DB_Errorcode=Final_DB_Errorcode. "(Count : " .count + ")"
... View more