topic Re: How to get the list of unique exceptions which are occurring only today but not in the past? in Splunk Search

How to get the list of unique exceptions which are occurring only today but not in the past?

guru89044 — Tue, 20 Feb 2018 11:36:18 GMT

I am trying this command but looks like its displaying all the exceptions. please let me know how to get the exceptions which are occurring only today but not earlier in splunk

(index=x AND (host=y) AND "java.exception" AND earliest=-1d@d latest=now NOT [ | search (index=x) AND (host=y) AND "java.exception" AND earliest=-15d@d latest=-2d@d | rex "(?java?.[.\w]+Exception)" | stats count by Exception | sort by count ] | rex "(?java?.[.\w]+Exception)" | stats count by Exception | sort by count

| set diff query is also not working.

Re: How to get the list of unique exceptions which are occurring only today but not in the past?

493669 — Tue, 20 Feb 2018 11:39:44 GMT

try earliest=-0d@d instead of earliest=-1d@d

Re: How to get the list of unique exceptions which are occurring only today but not in the past?

guru89044 — Tue, 20 Feb 2018 12:50:27 GMT

yeah but that's not solution.

Re: How to get the list of unique exceptions which are occurring only today but not in the past?

elliotproebstel — Tue, 20 Feb 2018 15:13:34 GMT

I think maybe some of the code is getting chomped in your post. I'll assume you are able to successfully execute a straightforward search that extracts the field Exception and conclude with | stats count by Exception | sort 0 - count. If that's not true, then please try reposting your code by first clicking the 101010 code button and then entering the code in the modal window.

I'm going to re-state the goal, because I think there is a more straightforward approach to what you want to do. If I understand correctly, you want to list all Exception codes whose first appearance in the last 15 days was today. That can be done in a single search with no subsearches:

index=x host=y "java.exception" earliest=-15d@d latest=now 
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| where first_time>=relative_time(now(), "@d")
| sort 0 - first_time
| convert ctime(first_time)

The last line just makes the timestamp in the first_time field display in human readable format; you won't need it if you plan to use the value in further comparisons or calculations.

Re: How to get the list of unique exceptions which are occurring only today but not in the past?

guru89044 — Wed, 21 Feb 2018 05:45:32 GMT

@elliotproebstel Thank you. my end goal is to compare between 2 time durations.

find no. of exceptions from 1st Feb 1 to 10th Feb.
find the no. of exceptions from 11th Feb to 15th Feb.
I want only unique exceptions from 11th Feb to 15th Feb which did not occur during 1st Feb 1 to 10th Feb along with count(No. Of. of times new exception occured).

Please let me know how to compare with 2 time durations

Re: How to get the list of unique exceptions which are occurring only today but not in the past?

elliotproebstel — Wed, 21 Feb 2018 14:46:00 GMT

Sure, that's actually just a slight variation on the answer above. In the first answer, we gathered all events over 15 days and identified Exceptions that were first seen today. In this new challenge, we'll gather all events that occurred 1 Feb - 15 Feb and identify Exceptions that were first seen after 10 Feb. Exact same search structure, just different dates!

With your timepicker for the search, select 1 Feb as the start date and 15 Feb as the end date. We want Splunk to gather events from the overall time window, and then we'll analyze those.

index=x host=y "java.exception"
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| eval window_start=strptime("2018-02-11", "%F")
| where first_time>=window_start
| stats count by Exception

Re: How to get the list of unique exceptions which are occurring only today but not in the past?

guru89044 — Thu, 22 Feb 2018 07:31:48 GMT

@elliotproebstel Thank you very much. Now i can play with dates. Can you please explain me the rex "(?java?.[.\w]+Exception)"?

Its listing all the exceptions but when continues exceptions are present in the logs like below, looks like Its considering only first exception and ignoring other 2. So its listing the exceptions which are not unique also.

Example : its listing java.util.concurrent.ExecutionException: as unique even though it occured before like this log.

logs : (java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: org.xyz....)