topic How to combine searches in order to output the total result of each exception? in Splunk Search

How to combine searches in order to output the total result of each exception?

jw44250 — Thu, 05 Jan 2017 22:55:22 GMT

I have able to get unique result for each logs...now my issue is that i dont know how to combine the results
this works

index=index1 sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?[\S]+)"
 | stats count by myException

index=index2 sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?[\S]+)"
 | stats count by myException

how to join index1 and index2 and print the result?

Re: How to combine searches in order to output the total result of each exception?

gokadroid — Fri, 06 Jan 2017 00:11:56 GMT

Try this please:

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
|  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

Also if this answer helped you, please close it by accepting the answer. Thanks.
https://answers.splunk.com/answers/486114/how-to-generate-a-table-that-lists-all-java-except.html#answer-484734

Re: How to combine searches in order to output the total result of each exception?

somesoni2 — Fri, 06 Jan 2017 04:27:38 GMT

How do you want to combine, get a single total OR get separate total in single search result? @gokadroid answer is giving you former.

Re: How to combine searches in order to output the total result of each exception?

jw44250 — Fri, 06 Jan 2017 04:37:37 GMT

Output i am looking is :

SearchType . ExceptionName . Occurance
xyz. java.io.Exception 10
abc . java.lang.ClassException . 5

Re: How to combine searches in order to output the total result of each exception?

somesoni2 — Fri, 06 Jan 2017 04:40:58 GMT

How to get the SearchType? Its not a field in your original query.

Re: How to combine searches in order to output the total result of each exception?

jw44250 — Fri, 06 Jan 2017 04:41:06 GMT

separate total in single search row

Re: How to combine searches in order to output the total result of each exception?

somesoni2 — Fri, 06 Jan 2017 04:45:17 GMT

Just add the index field in the stats command in @gokadroid's answer, if you want to differential between exceptions from index1 and index2.

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
 |  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
 | stats count by index myException

Re: How to combine searches in order to output the total result of each exception?

gokadroid — Fri, 06 Jan 2017 04:49:11 GMT

I think what I understood that requirement was:

index1 had exception1, exception2
index2 had exception 2, exception3

Required output

   Type.............. count
    exception1....... 1
    exception2........ 2
    exception3........ 1

Re: How to combine searches in order to output the total result of each exception?

somesoni2 — Fri, 06 Jan 2017 05:00:06 GMT

That's why having an expected output in the question clears the requirement 100% of the time.

Re: How to combine searches in order to output the total result of each exception?

puneethgowda — Tue, 29 Sep 2020 13:06:31 GMT

Hi Gokadroid
How to extract field from below raw by using rex
We tried this

index="" source="E:\Splunk_logs\PH\Prod\MethodExecution\1088\VWNV02AX01571\MethodExecutionInfo20170215-09.txt" | rex field=_raw "(?P.[^@$@])" | rex field=_raw "(?P.[^vw]*)"

But able extract 1st Field date based on @$@ but 2nd field onwards we need to try based in 2nd occuranc of @$@ will be 2nd field server name and 3rd occurance of @$@ will be 3 field session ID like that all fields
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

It would be great help for me!!!!!!!

Happy Splunking I love splunk