How to group type of exceptions in the log ?

Bero — Fri, 29 Apr 2011 12:55:33 GMT

Hi!
I am a relative new user of Splunk so I have only used basic search that works fine.

Background:
I'm a member of a team that maintenance a big Delphi application. That is deployed on 4 servers. If there is an exception in the application that is logged in a textfile.
This is an example how it could look like in the log:

20110429 14:39:07 (16616) [EXCEPTION] Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Inner Exception Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Call Stack:
    [00] BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
    [01] BoldSystem.TBoldSystem.UpdateDatabaseWithList (BoldSystem.pas:1868)
    [02] BoldSystem.TBoldSystem.UpdateDatabase (BoldSystem.pas:1860)
    [03] AttracsDBSync.TATSyncPersistenceHandle.DBSync (..\server\units\AttracsDBSync.pas:1071)
    [04] AttracsDBSync.TATSyncPersistenceHandle.SyncSystemWithDatabase (..\server\units\AttracsDBSync.pas:1131)
    [05] DMAttracs.TServerData.SyncSystemWithDatabase (..\server\code\DMAttracs.pas:467)
    [06] DMAttracs.TServerData.ApplicationEventsIdle (..\server\code\DMAttracs.pas:494)
    [07] AppEvnts.TCustomApplicationEvents.DoIdle (AppEvnts.pas:216)
    [08] Forms.TApplication.Idle (Forms.pas:8533)
    [09] Forms.TApplication.HandleMessage (Forms.pas:8124)

Question:
If I for example search for "[EXCEPTION]" I got a lot of hits like the one above. This is of type EBoldOperationFailedForObjectList but there are also many others.

Is there a way to count each typ of exception ?
For example if I have 15 exceptions today maybe 5 of those are EBoldOperationFailedForObjectList, 3 are EAccessViolation, 7 are EInvalidCast then I got this list:

EBoldOperationFailedForObjectList 5
EAccessViolation 3
EInvalidCast 7

Is it possible to get such list from Splunk or maybe a graph ?

Regards

Roland
Team Attracs

Re: How to group type of exceptions in the log ?

JSapienza — Fri, 29 Apr 2011 13:19:40 GMT

Sounds like you need to do a field extraction for the Exceptions :

http://www.splunk.com/base/Documentation/4.2.1/Knowledge/Addfieldsatsearchtime

Then you can drill down and perform counts based on field with the stats command:

http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Stats

Re: How to group type of exceptions in the log ?

howyagoin — Sun, 01 May 2011 09:08:59 GMT

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]"

But I'm horrible with RegEx.

Re: How to group type of exceptions in the log ?

Bero — Sun, 01 May 2011 19:51:30 GMT

Im really impressed of what Splunk can do with some knowledge 🙂 Anyway this is want I want. Thanks!!!

topic How to group type of exceptions in the log ? in Splunk Search

How to group type of exceptions in the log ?

Re: How to group type of exceptions in the log ?

Re: How to group type of exceptions in the log ?

Re: How to group type of exceptions in the log ?