topic Re: Group Events with pattern in Splunk Search

Group Events with pattern

Thulasinathan_M — Sat, 31 Aug 2024 17:05:08 GMT

Hi Splunk Experts,
I've been trying to group "WARN" logs, but they have a pattern (Dynamic/ Argument values) in them. I'm aware of rex, but I don't want to manually rex for 1000s of such different events. I've even tried cluster, but that doesn't suits well my usecase. Any assistance would be much appreciated.!! Thanks in advance.

2024-08-31 12:34:56 WARN ConfigurationLoader - Deprecated configuration detected in path /xx/yy/zz. Please update your settings to use the latest configuration options. 2024-08-31 12:34:56 WARN ConfigurationLoader - Deprecated configuration detected in path /aa/dd/jkl. Please update your settings to use the latest configuration options. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 12.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 21.9 seconds. Query: SELECT * FROM contacts WHERE contact_id > '252’. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 9.5 seconds. Query: SELECT * FROM users WHERE user_id = '123024001'. 2024-08-31 13:45:10 WARN MemoryMonitor - High memory usage detected: 85% of allocated memory is in use. Consider increasing the available memory. 2024-08-31 13:45:10 WARN MemoryMonitor - High memory usage detected: 58% of allocated memory is in use. Consider increasing the available memory. 2024-08-31 14:52:34 WARN QueryExecutor - Query execution time exceeded the threshold: 32.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.

I wish to group them something like below to group similar events!!

WARN ConfigurationLoader Deprecated configuration detected in path. Please update your settings to use the latest configuration options	2
WARN QueryExecutor Query execution time exceeded the threshold: . Query:	4
WARN MemoryMonitor High memory usage detected: of allocated memory is in use. Consider increasing the available memory.	2

Re: Group Events with pattern

richgalloway — Sun, 01 Sep 2024 00:13:26 GMT

Have you tried the "Patterns" tab? That can show patterns in your results if you have enough events for Splunk to analyze.

If you have a finite set of events then you may be able to group them using a case function and the stats command.

... | eval warn = case(match(_raw, "ConfigurationLoader - Deprecated configuration detected in path .*?. Please update your settings to use the latest configuration options.", "ConfigurationLoader - Deprecated configuration detected in path. Please update your settings to use the latest configuration options", match(_raw, "QueryExecutor - Query execution time exceeded the threshold .*", "QueryExecutor - Query execution time exceeded the threshold. Query:", match(_raw, "MemoryMonitor - High memory usage detected: .*? of allocated memory is in use. Consider increasing the available memory.", "MemoryMonitor - High memory usage detected: of allocated memory is in use. Consider increasing the available memory.", 1==1, _raw) | stats count by warn

Of course, this requires you to know which warnings are of interest and becomes impractical when there is a large number of them.

Re: Group Events with pattern

PickleRick — Sun, 01 Sep 2024 08:52:50 GMT

If you want Splunk to "guess", you might look at MLTK.