topic Re: Find new errors in Getting Data In

Find new errors

splunk13 — Mon, 07 Jan 2013 07:47:59 GMT

Hi all,

I want to see the new errors after a date, per example "new errors after 1 day ago". I've created this request, which works fine for find the first occurrence of each error. But now I want filter the result of my request to find the new errors for this day. How can I do that ?

("SourceName=Application Popup" OR
Type=Critical OR Type=Warning)
host="xxxx" | reverse | dedup Message | { I want filter date here }

Thanks for your help !

Re: Find new errors

sonicant — Mon, 07 Jan 2013 08:32:48 GMT

if you mean "new errors today" and you can accept filter date at the beginning of the search command, you may add "earliest=@d" for today or "earliest=-2d@d" for today and yesterday, into the first part of search command.
Like this:
("SourceName=Application Popup" OR
Type=Critical OR Type=Warning)
host="xxxx" earliest=@d | reverse | dedup Message

Re: Find new errors

yannK — Mon, 07 Jan 2013 08:41:09 GMT

The dedup will remove all the events except the first one, so in your case you should remove it.

what about the list of errors per day
mysearch | timechart span=1d count by Message

Or simply a statistical count of errors with the detail of the first and last occurrence
mysearch ealiest=-1d@d | stats last(_time) as oldesttime last(_time) as recenttime count by Message | convert ctime(oldesttime) | convert ctime(recenttime)

Re: Find new errors

splunk13 — Mon, 07 Jan 2013 08:43:54 GMT

Hi,
Thank you for your fast response.
I mean the today's errors who have never appeared before.
So I just need filter the result of my request to show only errors who appeared today.

Like:
("SourceName=Application Popup" OR Type=Critical OR Type=Warning) host="xxxx" | reverse | dedup Message | earliest=-1d@d

But it doesn't work.

Regards,

Re: Find new errors

sonicant — Mon, 07 Jan 2013 08:55:29 GMT

Hi splunk13

You may not use "earliest=" after the pipe, please add it into the first part of your search, like this:
("SourceName=Application Popup" OR Type=Critical OR Type=Warning) host="xxxx" earliest=@d | reverse | dedup Message

Re: Find new errors

splunk13 — Mon, 07 Jan 2013 09:11:59 GMT

Hi sonicant,

Yes but the result of you request isn't the objective.
I want see the today's errors who have never appeared before today. And your request show all distinct errors for today.

Thank you for your help and sorry if I'm not very clear.

Regards,

Re: Find new errors

martin_mueller — Mon, 07 Jan 2013 09:25:38 GMT

You can filter events by time at a later point in your query like this:

... | where _time >= relative_time(time(), "@d")

This will only keep events from today.

Re: Find new errors

martin_mueller — Mon, 07 Jan 2013 09:26:57 GMT

Note, -2d@d refers to today, yesterday and the day before yesterday. You'd get today and yesterday with -d@d.