topic How to write a search to compare two weeks errors, and highlight any new errors? in Splunk Search

How to write a search to compare two weeks errors, and highlight any new errors?

uagraw01 — Thu, 20 Oct 2022 14:43:06 GMT

Hello Splunkers !!

Last week	Current week	New Error
"enableEnhancedCheckout"	"enableEnhancedCheckout"	"error_in_python_script"
	"error_in_python_script"

Above is the use case I have, In which I want to compare two week errors. And if any new error introduced then I want to highlight that error. Below is the SPL I have used so far. Please let me know what I need to correct in below query and How can I achieve, if you have any other approach.

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now() | rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification" | rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)" | rex field=_raw "Error:(?<Error2>.+)" | rex field=_raw "(?<ErrorM>Error in template script)+" | rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)" | rex "service=(?<Service>[A-Za-z._]+)" | rex "Sites-(?<Country>[A-Z]{2})" | eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM) | eval Week=case(now()-_time<604800,"Current_Week",_time>604800, "Last_Week") | stats dc(Week) AS Week_count values(Week) AS Week by Error_Exception | eval Error_Status=if(Week_count=2,"Both Weeks",Week) | eval Difference1= abs(tonumber(Last_Week) - tonumber(Current_Week)) | stats count by Difference1 | fields - count

Re: Splunk SPL

gcusello — Thu, 20 Oct 2022 10:14:22 GMT

Hi @uagraw01,

let me understand: you want to list the new errors in the current week respsct the previous week, is this correct?

if this is yur need, your search is almost correct but not the last three statements.

to list the new errors you need something like this:

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now() | rex "Error\s(?<Message>.+)MulesoftAdyenNotification" | rex "fetchSeoContent\(\)\s(?<Exception>.+)" | rex "Error:(?<Error2>.+)" | rex "(?<ErrorM>Error in template script)+" | rex "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)" | rex "service=(?<Service>[A-Za-z._]+)" | rex "Sites-(?<Country>[A-Z]{2})" | eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM) | eval Week=if(now()-_time<604800,"Current_Week","Last_Week") | stats dc(Week) AS Week_count values(Week) AS Week by Error_Exception | where Week_count=1 AND Week="Current_Week" | table Error_Exception

If instead you want to have three columns as the table you shared, you should try something like this:

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now() | rex "Error\s(?<Message>.+)MulesoftAdyenNotification" | rex "fetchSeoContent\(\)\s(?<Exception>.+)" | rex "Error:(?<Error2>.+)" | rex "(?<ErrorM>Error in template script)+" | rex "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)" | rex "service=(?<Service>[A-Za-z._]+)" | rex "Sites-(?<Country>[A-Z]{2})" | eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM) | eval Week=if(now()-_time<604800,"Current_Week","Last_Week") | stats dc(Week) AS Week_count values(Week) AS Week BY Error_Exception | eval Week=if(Week_count=2,"Both",Week) | stats values(eval(if(Week_count=2 OR Week="Last_Week",Error_Exception,"") AS "Last_Week" values(eval(if(Week_count=2 OR Week="Current_Week",Error_Exception,"") AS "Current_Week" values(eval(if(Week="Current_Week",Error_Exception,"") AS "New Error"

Ciao.

Giuseppe

Re: Splunk SPL

uagraw01 — Thu, 20 Oct 2022 10:49:30 GMT

@gcusello Thanks for your valuable inputs. I have corrected the parenthesis.

| stats values(eval(if(Week_count=2 OR Week="Last_Week",Error_Exception,""))) AS "Last_Week" values(eval(if(Week_count=2 OR Week="Current_Week",Error_Exception,""))) AS "Current_Week" values(eval(if(Week="Current_Week",Error_Exception,""))) AS "New Error"

In production enevironment it is taking so much time to retreive the results. Can we put any mechanism where we can compare last 10 errors only to optimize the results?

Re: Splunk SPL

gcusello — Thu, 20 Oct 2022 11:05:06 GMT

Hi @uagraw01,

the stats command is usually very quick, even if there are some eval!

Could you share your full search, maybe there's something to optimize.

Ciao.

Giuseppe

Re: Splunk SPL

uagraw01 — Thu, 20 Oct 2022 11:08:56 GMT

Below is my complete SPL ( excluding metadata fields )

("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=if(now()-_time<604800,"Current_Week","Last_Week")
| stats dc(Week) AS Week_count values(Week) AS Week BY Error_Exception
| eval Week=if(Week_count=2,"Both",Week)
| stats values(eval(if(Week_count=2 OR Week="Last_Week",Error_Exception,""))) AS "Last_Week" values(eval(if(Week_count=2 OR Week="Current_Week",Error_Exception,""))) AS "Current_Week" values(eval(if(Week="Current_Week",Error_Exception,""))) AS "New_Error"
| head 10

Re: Splunk SPL

gcusello — Thu, 20 Oct 2022 11:21:35 GMT

Hi @uagraw01,

as I said, stats command is usually very quick even if there are some eval options.

At first add the index to the main search and you'll have better performaces.

Then, if you can add more filters (e.g. host or sourcetype) to your main search

I don't think that the "head 10" at the end of the search will save much time.

If you have very many events, you could schedule your search every night and save results in a summary index, then you can run your search on the summary index.

Ciao.

Giuseppe

Re: Splunk SPL

uagraw01 — Thu, 20 Oct 2022 11:29:13 GMT

@gcusello My results are look like as below. There are too many results. If you can filter out me only last top 10 unique new errors. How can I use the Approach.

Re: Splunk SPL

gcusello — Thu, 20 Oct 2022 12:31:29 GMT

Hi @uagraw01,

it seems that there's an error in the first eval in stats, so please try this:

("ERROR" OR "EXCEPTION") earliest=-14d latest=now() | rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification" | rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)" | rex field=_raw "Error:(?<Error2>.+)" | rex field=_raw "(?<ErrorM>Error in template script)+" | rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)" | rex "service=(?<Service>[A-Za-z._]+)" | rex "Sites-(?<Country>[A-Z]{2})" | eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM) | eval Week=if(now()-_time<604800,"Current_Week","Last_Week") | stats dc(Week) AS Week_count values(Week) AS Week BY Error_Exception | eval Week=if(Week_count=2,"Both",Week) | stats values(eval(if(Week="Both" OR Week="Last_Week",Error_Exception,""))) AS "Last_Week" values(eval(if(Week="Both" OR Week="Current_Week",Error_Exception,""))) AS "Current_Week" values(eval(if(Week="Current_Week",Error_Exception,""))) AS "New_Error"

then as I said, add index and eventually some other field to filter results.

In addition, Error_Exception has very long values, is it correct or is it possible to reduce them?

Ciao.

Giuseppe

Re: Splunk SPL

uagraw01 — Thu, 20 Oct 2022 12:36:17 GMT

@gcusello Thanks for correcting the SPL. Yes we can reduce them by using the substr.

Re: Splunk SPL

gcusello — Thu, 20 Oct 2022 13:50:28 GMT

Hi @uagraw01,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉