Splunk Search

How to list count of Error messages

AravindSridhara
New Member

I have multiple error messages in the logs and I do count by ErrorMessage. The error messages gets listed as below.

ErrorMessage Count
Execute Hedging Failed 427
Execute Risk Failed 727
Unable to create parallel trade for trade ID 12345 400
Unable to create parallel trade for trade ID 23456 326

In the table above error message 1 and 2 are valid but the 3rd and 4th are the same except for the trade ID difference. I want to tweak my query in such a way that 3 and 4 are joined together and I get Unable to create parallel trade 726 (400+326).

My current query: index=XYZ sourcetype="Apache Log" Error | Stats count by PT_ErrMsg. PT_ErrMsg is field extract created for getting error message.

Tags (1)
0 Karma
1 Solution

PPape
Contributor

quick and dirty:

index=XYZ sourcetype="Apache Log" Error | eval ErrorMsg = if(like(PT_ErrMsg,"Unable to create parallel trade for trade ID%"),"Unable to create parallel trade for trade ID",PT_ErrMsg) | Stats count by PT_ErrMsg 

View solution in original post

0 Karma

PPape
Contributor

quick and dirty:

index=XYZ sourcetype="Apache Log" Error | eval ErrorMsg = if(like(PT_ErrMsg,"Unable to create parallel trade for trade ID%"),"Unable to create parallel trade for trade ID",PT_ErrMsg) | Stats count by PT_ErrMsg 
0 Karma

AravindSridhara
New Member

Thanks it is working. What I should do if I want to do this for multiple error messages along with the one i mentioned above. For example
Failed to create trade for ID 1234 124 Failed to create for ID 3214 470

0 Karma

PPape
Contributor

Yep in this case the answer of richgalloway is the more accurate. As I said. It only was quick and dirty.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's where the case statement in my answer is useful. Just add an entry to it for each message.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

You'll need to convert similar error messages into a common form. Try this:

index=XYZ sourcetype="Apache Log" Error | eval PT_ErrMsg=case(match(PT_ErrMsg,"Unable to create parallel trade for trade ID.*"),"Unable to create parallel trade for trade ID" , 1=1, PT_ErrMsg) | Stats count by PT_ErrMsg
---
If this reply helps you, Karma would be appreciated.

AravindSridhara
New Member

Hi Richgalloway, this is not working even for the message you have provided. It is listing all the unable to create trade.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I used the wrong wildcard in the match command. The edited answer should work. Or you can use like as in PPape's answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...