Archive

Application error dashboard

New Member

Hi
I need to prepare a dashboard which shows the list of applications and the error count for past 7 days, i need to show in table format with the application that has highest number of errors on top. May i know how can i achieve that?

Tags (1)
0 Karma

New Member

Hi
Thanks for your quick reply. Yes in my company there are around 100 applications installed on a single Physical server. THe only way to identify the application name is based on the app log file name. As all errors specific to app will be written into a specific log file. BUt all the logs are under one folder structure on the server. So how can i prepare a dashboard with the app name and error count and sort the list based on the highest errors.
Here is the example entry for event in splunk

[Jul 27, 2016 02:55:38] ERROR [] [VehicleDAO] TimeoutException from callVINtelligenceWS method call : null
date_mday = 27 date_month = july host = ods010adlrp04 source = /clocal/www/logs/WAS/WebSphere7/cscsales.log

0 Karma

New Member

How can i sort and show top 20 applications in this dashboard?
i tired this but id didnt work
source = /clocal/www/logs/WAS/WebSphere7/*.log error | stats count AS ERR_CNT by source | sort limit=20 ERR_CNT

0 Karma

SplunkTrust
SplunkTrust

You will need to use the top command along with defining the field error.. See my comment above, I would work on extracting the app name then extracting the error name, then use the top command to order them from greatest to smallest

0 Karma

SplunkTrust
SplunkTrust

Hello @saikalyani9, weclome to Splunk answers

To make a dashboard you will need to define some fields then use them in your query.. First you will need to define what an application is, then you will need to define what is an error..

By application, I'm assuming you work in a company who has multiple applications. I would look at the events and see if each application is unique or has the name in the event somewhere.. If so then you will need to write a regular expression to make that a field.. You will then need to define what is an error. Are errors anything other than a 200? Or do you consider only 404's error?

Once both these fields are defined, you will then need to write a query like this

index=unleashed Application=* | timechart count by Error

Application will be the field which you defined as the application and Error will be the field you defined as an error. The timechart command will make a visual representation of your data. Give us a sample of your logs and I can help you write a regular expression to extract these fields from your logs

0 Karma

New Member

Hi
Thanks for your quick reply. Yes in my company there are around 100 applications installed on a single Physical server. THe only way to identify the application name is based on the app log file name. As all errors specific to app will be written into a specific log file. BUt all the logs are under one folder structure on the server. So how can i prepare a dashboard with the app name and error count and sort the list based on the highest errors.
Here is the example entry for event in splunk

[Jul 27, 2016 02:55:38] ERROR [] [VehicleDAO] TimeoutException from callVINtelligenceWS method call : null
date_mday = 27 date_month = july host = ods010adlrp04 source = /clocal/www/logs/WAS/WebSphere7/cscsales.log

0 Karma

New Member

Hi
Today i prepared a simple dash board with application log files names and the count corresponding to the log file.
That dashbaord looks some thing like this

Source Count
/clocal/www/logs/WAS/WebSphere7/dcsession.log 23123
/clocal/www/logs/WAS/WebSphere7/sales.common.log 345345
/clocal/www/logs/WAS/WebSphere7/voim.log 4534
/clocal/www/logs/WAS/WebSphere7/dipap.log 343
/clocal/www/logs/WAS/WebSphere7/dcws.log 3453

If i need to show just the application name instead of entire path with log file name in dashboard how can i do that?

0 Karma

SplunkTrust
SplunkTrust

You will need to extract the field using a regular expression then use that field in your query. What's the name of the application below? Is it dcsession, sales, voim etc..?

If so then your regex will look like this

(?P<AppName>(?<=WebSphere7\/)\w+(?=\.common|\.log))

Go to your Fields section, Extract New Fields, I'd prefer to write the regular expression myself, then paste this regex in, then review it, then save

/clocal/www/logs/WAS/WebSphere7/dcsession.log 23123
/clocal/www/logs/WAS/WebSphere7/sales.common.log 345345
/clocal/www/logs/WAS/WebSphere7/voim.log 4534
/clocal/www/logs/WAS/WebSphere7/dipap.log 343
/clocal/www/logs/WAS/WebSphere7/dcws.log 3453
0 Karma

Splunk Employee
Splunk Employee

assuming each log is a different application, use some regex to pull the filename from the source field to a new field then use eval or a lookup to give more friendly application names.

https://answers.splunk.com/answers/268995/how-to-extract-filename-form-source-field.html

0 Karma