topic Re: Tomcat sum counted statistic over all 6 Log Levels in Splunk Search

Tomcat sum counted statistic over all 6 Log Levels

sdohn — Mon, 14 May 2012 14:48:17 GMT

Hi, I want to create a chart for my tomcat logs.
In result there should be a summarized countet statistic for the different log levels like INFO, DEBUG, WARN, ERROR, FATAL, TRACE
The statistic should be between a time frame like the last whole week and the last whole month.

My logs looks like this example:

INFO ;2012-04-11 08:37:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
DEBUG ;2012-04-12 09:72:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
WARN ;2012-04-13 10:34:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
ERROR ;2012-04-14 12:56:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
FATAL  ;2012-04-15 09:35:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
TRACE ;2012-04-16 08:45:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms

What I get for the moment is a counted report from only lets say the INFO level like:

source="/opt/logs/radical-up.090909x.log" INFO | timechart sum(count) as "INFOSTATUS"

But how can I create a search which includes all other 5 remaining log levels and generates a nice summarized chart for me.

brgds. from sdohn

Re: Tomcat sum counted statistic over all 6 Log Levels

Genti — Mon, 14 May 2012 14:55:41 GMT

So, if INFO, DEBUG, WARN ERROR FATAL and TRACE are already being extracted i assume? If not, you should extract them with a field extraction and call them something like "STATUS".
Then you should be able to do | timechart sum(count) AS by STATUS

This should give you a nice little chart with the count of each event by the status code above..

Re: Tomcat sum counted statistic over all 6 Log Levels

sdohn — Sat, 19 May 2012 05:43:15 GMT

Hi thanks for your answer, for the moment your example does not work for me.
Lets work on a real example.

I've download this logfile:
http://innovato.com/splunk/websample.log

When I fire up this query I get the timechart where all available status codes will be sum
source="websample.log" status="*" | timechart sum(count)

But how to get a sum(count) timechart report where I can get a bar for lets say:
all status codes 200 bar in color green
all status codes 404 bar in color red
And all in one report

thanks!

Re: Tomcat sum counted statistic over all 6 Log Levels

sdohn — Sat, 19 May 2012 05:52:46 GMT

Unfortunalety your example does not work for me.
Maybe I do not correctly interpret it.

source="websample.log" | timechart sum(count) AS < status="202" status="404" > by status