Hi Everybody!
I am fairly new to Splunk, and I am trying to Create a dashboard where I need to get the Total number of Transactions and count of ERROR and INFO (Success) transaction among them from raw fields. We get a very high number of calls (A Million every 15 minutes).
Sample log:
Success log:
2019-01-23T15:37:13.634437+00:00 0e994c4c-d2c9-43fa-94fa-818a9268c892[[APP/PROC/WEB/35]]: cf_app_id=0e994c4c-d2c9-43fa-94fa-818a9268c892 cf_org_id=0664105f-6c56-49b9-b113-c80afd99426a cf_space_id=a580638c-03f8-4c45-84cd-6cd97ab463ec .source.s_cf_apps 2019-01-23 07:37:13.634 **INFO** 15 --- [nio-8080-exec-4] .t.s.c.SqlManagerSqlStatementsController
Error log:
2019-01-23T02:57:36.919558+00:00 0e994c4c-d2c9-43fa-94fa-818a9268c892[[APP/PROC/WEB/51]]: cf_app_id=0e994c4c-d2c9-43fa-94fa-818a9268c892 cf_org_id=0664105f-6c56-49b9-b113-c80afd99426a cf_space_id=a580638c-03f8-4c45-84cd-6cd97ab463ec .source.s_cf_apps 2019-01-22 18:57:36.919 **ERROR** 15 --- [nio-8080-exec-3] c.t.s.service.SqlManagerService
I tried to extract the using |rex "\s(?ERROR)\s" |rex " \s(?INFO)\s" , but the query is erroring out. I tried using the OR operator between them and still no use.
I tried to get help from the internet and found a query |regex " (?ERROR|INFO) (?.*?) " . I was able to run this but was not able to populate any data. I am not getting anywhere with this. Any help is appreciated.
Thanks.
... View more