topic Re: Exceptions that never happened before in Monitoring Splunk

How to get a report/alert when a new exception happens that never happened before?

See0 — Fri, 17 Mar 2023 16:03:45 GMT

Hello guys,

I will try to describe my problem as good as i can. I want to get some raport/alert when a new exception appears but that never happened before.

let say that i have 15 exceptions that happened before like: java.lang.NullPointer, java.lang.IllegalStateException.. etc.

i want to get an alert when a “new” exception appear that never appeared before.

Is that possible?

Re: Exceptions that never happened before

bowesmana — Fri, 17 Mar 2023 01:30:30 GMT

Yes, you can. You will need to keep a record of exceptions that you have seen before in a lookup file, so that when you run a search you can then lookup against that file.

Here is some very pseudo SPL that can be used, but you will need to tailor it to your data and use case.

index=my_index *Exception* ``` Work out what is your exception here using some eval statemsnt or field extractions ``` | eval ExceptionName=... | lookup my_previous_exceptions.csv ExceptionName OUTPUT ExceptionName as FoundExceptionName | where isnull(FoundExceptionName) ``` Now you have events that contain new exceptions, ``` ``` you can finally merge the new and existing exceptions that new Exception to your lookup ``` | fields ExceptionName _time | outputlookup append=t my_previous_exceptions.csv

Re: Exceptions that never happened before

See0 — Fri, 17 Mar 2023 07:14:46 GMT

Could you explain me how do i do the backup file?

Like an example..

im pretty new.

Re: Exceptions that never happened before

See0 — Fri, 17 Mar 2023 14:10:42 GMT

And i dont really understand the eval ExceptionName=…

what should i put here?

@bowesmana

Re: Exceptions that never happened before

bowesmana — Sat, 18 Mar 2023 05:17:48 GMT

So, depending on your data, you will have an event containing some information containing the text of the Exception, whether it's a full stack trace or just the exception name, but let's assume that your Splunk event contains

bla bla bla java.lang.NullPointerException bla bla bla

then unless you have a field in the data that has the name of the exception you need to create a field, either through an eval statement or a rex field extraction

If you don't have a field in the data, then you would use a rex statement, e.g. one of these would extract either the simple name or the full class name

| rex "(\w+\.)+(?<ExceptionName1>.*Exception) " | rex "(?<ExceptionName2>(\w+\.)+\w+Exception) "

an eval statement could be used to manipulate an existing field.

All of this will depend on what your data looks like though.

Re: Exceptions that never happened before

See0 — Sat, 18 Mar 2023 08:31:09 GMT

@bowesmana
Thank you a lot for your time, could tou show me how the las version of the search should look like with the “rex”

Re: Exceptions that never happened before

bowesmana — Mon, 20 Mar 2023 22:41:55 GMT

You will have to show what you are currently doing, where your data exists and the results you are getting to get further help. I can't provide direct searches without knowing your environment.

Re: Exceptions that never happened before

bowesmana — Mon, 20 Mar 2023 22:42:22 GMT

I don't know what you mean by a backup file in Splunk context

Re: Exceptions that never happened before

See0 — Tue, 21 Mar 2023 08:20:01 GMT

I have message you.

Re: Exceptions that never happened before

See0 — Tue, 28 Mar 2023 08:41:23 GMT

I have write you in private.

Re: Exceptions that never happened before

bowesmana — Tue, 28 Mar 2023 22:34:38 GMT

Please post the examples here, so any solutions can help others. I do not give answers through private messages.

Thanks.

Re: Exceptions that never happened before

See0 — Tue, 11 Apr 2023 13:32:46 GMT

Those are my type of exceptions.

Re: Exceptions that never happened before

See0 — Mon, 24 Apr 2023 20:00:53 GMT

Could you help me?

Re: Exceptions that never happened before

bowesmana — Sun, 30 Apr 2023 23:51:48 GMT

What exactly are you stuck with?

Re: Exceptions that never happened before

See0 — Mon, 01 May 2023 07:39:47 GMT

Hello, even if i make the search wiht the data that i have is showing me all the exception, is not excluding the exception from the .csv.

How exactly should i make the search to get only the exception that are not in the file?

Re: Exceptions that never happened before

bowesmana — Mon, 01 May 2023 23:44:48 GMT

Please post your current search and an example of the contents of the csv

Re: Exceptions that never happened before

See0 — Tue, 02 May 2023 06:45:44 GMT

Hi,

Currently im trying to search against this file :

index="doc" Exception error NOT [ | inputlookup KnownException.csv]

My csv file looks like this(140 exceptions):

My env looks like this:

When i run this query i want to extract only the exceptions that are not in the file. Somehow this is not happening and is showing me even the exceptions that are present in the file.

I want to full exclude all the exceptions from the file.

Re: Exceptions that never happened before

bowesmana — Wed, 03 May 2023 00:51:29 GMT

What is the column name of the field in your exception CSV?

Your subsearch will translate to

( ( Field = A) OR (Field = B) OR (Field = C) )

where Field is the name of the column in your CSV and therefore MUST also be a field in your data. If it is not a field in your data, then you will be looking for event that do NOT contain those Fields, which will be everything.

You can also add this to your subsearch

| return 200 $Field

Where 'Field' is the name of your column in the CSV and it will return just the text of the exception in the csv.

Re: Exceptions that never happened before

See0 — Wed, 03 May 2023 06:07:48 GMT

Hello, the column is called "exception" and i don't have that column extracted as a field?

What you recommend?

And also how should look the final search ?

Thank you so much for the time and help.

Re: Exceptions that never happened before

bowesmana — Thu, 04 May 2023 06:49:42 GMT

Have you tried my second suggestion?