topic Re: How Can I get a table of distinct errors? in Splunk Search

How Can I get a table of distinct errors?

aohls — Tue, 12 Dec 2017 17:44:18 GMT

I am looking to create a table for distinct errors we have. Unfortunately I had this working at one point and am unable to recreate it and didn't save it. I have the following string, "Error - (Some text explaining the error)". I was doing the following to pull the variable for the error string: rex field=_raw "Error - \|(?<ErrorString>\d+)"

I am looking to create a table with the server, distinct error string, count of total occurrences of the error on the specified server. Currently when I try to add my ErrorString field, I get the number of events from my search but each field is blank.

Re: How Can I get a table of distinct errors?

adonio — Tue, 29 Sep 2020 17:16:31 GMT

maybe this:

your search | rex field=_raw "Error - |(?\d+)"
| stats count as error_count dc(ErrorString) as ErrString by server

Re: How Can I get a table of distinct errors?

DalJeanis — Tue, 12 Dec 2017 18:28:13 GMT

Given the data, I don't see the reason for the escaped pipe \| in your rex. try deleting that and seeing if the rex works again.

Re: How Can I get a table of distinct errors?

rphillips_splk — Tue, 12 Dec 2017 18:28:25 GMT

From your description it sounds like you might be after a search like:

...|rex field=_raw "Error - \|(?<ErrorString>\d+)" | stats count by host ErrorString

Re: How Can I get a table of distinct errors?

aohls — Tue, 12 Dec 2017 19:29:04 GMT

My error string is multiple words, is there a way to specify the rex to go a certain length and not stop at the first word?

Re: How Can I get a table of distinct errors?

DalJeanis — Tue, 12 Dec 2017 19:43:51 GMT

If you wanted up to 30 characters, you could go

|rex field=_raw "Error - \|(?<ErrorString>.{1,30})"