topic Re: filtering errors based on two timestamps in Splunk Search

filtering errors based on two timestamps

Nisha18789 — Wed, 23 Oct 2013 12:48:51 GMT

I have a site and errors on that site are being recorded in splunk.
I basically need to filter out those error which occur due to a particular deployment for that sourcetype.
suppose before 10 days of deployment Errors(Exceptions) were: A,B, C and D
after 2 days of deployment errors were: A, B,C, D and E

so need to prepare a query which gets the result as E i.e, the new errors that are occurring after the recent deployment.

we need to compare the Message's first 100 characters of today's error with that of previous days. And if the message has occured before also, then we will ignore that message in result. The result should include only fresh messages after a particular deployment.
also the only characteristic feature of the error is 'Message' which has value like: 'Advisory Code: 1315 was not found in the CMS....' we need to compare first 100 letters approx.

please help me out....

Re: filtering errors based on two timestamps

lpolo — Wed, 23 Oct 2013 13:52:52 GMT

Since your question does not have any specific log event example use the following after your splunk query construct:

include your splunk query construct that identifies your deploy error events here| eventstats latest(_time) as ltime by host | where _time=ltime

The result set should be the last event "deployment error" found in each host.

Thanks,
Lp

Re: filtering errors based on two timestamps

Nisha18789 — Thu, 24 Oct 2013 04:34:01 GMT

I do not know how to make that query construct that identifies deploy error events. That is what am asking.
I am posting event log as an answer as it will not be visible clearly here in comment.

Re: filtering errors based on two timestamps

Nisha18789 — Thu, 24 Oct 2013 05:26:27 GMT

I am posting a sample event log

20131024002915.000000

Category=0

CategoryString=NULL

EventCode=0

EventIdentifier=0

EventType=3

Logfile="some value"

RecordNumber=5866554

SourceName="some value"

TimeGenerated=20131024042915.000000-000

Type=Information
User=NULL

ComputerName="some value"

wmi_type="Application Name"

Message=Advisory Code: 1249 was not found in the CMS. Description:We are not able to find any rates that match the qualifiers you specified. Please modify your search criteria, or select from the alternates.

Re: filtering errors based on two timestamps

lpolo — Thu, 24 Oct 2013 11:54:32 GMT

To learn about the Splunk query language you can start with this online book:
http://www.splunk.com/goto/book

You may try this:
Assuming that the event sample is indexed in the main index:

index=main EventCode=0 EventIdentifier=0 EventType=3 SourceName="some value"|eventstats latest(_time) as ltime by host | where _time=ltime|table host TimeGenerated RecordNumber ComputerName Message

Re: filtering errors based on two timestamps

Nisha18789 — Thu, 24 Oct 2013 12:17:12 GMT

I used the query but its not giving me the required output since I want the particular deployment error ie all other errors which were common in previous 30 days n after deployment should be filtered out. Please help...

Re: filtering errors based on two timestamps

Nisha18789 — Thu, 24 Oct 2013 12:29:44 GMT

Could you please tell me how to find the difference in two searches which will solve my problem as
(search for errors during past 2 days)- (search for errors during past 30 days)= required result