Archive

How to make pattern of error events?

Explorer

Hello,
I want create a pattern for similar error message without discarding all the events..
Let's say, I have events like:
error occurred from ui correlationId; abcd1234
error occurred from ui correlationId; abcd2345
error occurred from ui correlationId; abcd4536
error occurred from ui correlationId; abcd6475

Like that it has 100 errors, when I'm trying to count it shows 100 different errors but in this case it is just single error..
Here i want to do like
1. error occurred from ui correlationId; xxxx-yyyy capture remaining message
2. Count the total similar events as a single error
3. Any better solution to capture different errors to take the action immediately it will be very useful in our production...

0 Karma

Influencer

Extract single error using rex command:

| rex field=_raw "(?<single_error>[^\d]+)"

Sample query:

| makeresults | eval _raw="error occurred from ui correlationId; abcd1234" | append [ | makeresults | eval _raw="error occurred from ui correlationId; abcd2345" ] | rex field=_raw "(?<single_error>[^\d]+)" | stats count by single_error
0 Karma

Explorer

The idea is good, it just stoping at numeric...
Diana was I need to capture all the events by excluding some particular IP address correlation adress loan number or something like that but the total count should be same like eyes explain above..

error occurred from ui correlationId; DGHVBJJ243FHG error from the lander price.in
error occurred from ui correlationId; FHGJGBJJ13FGJ error from the lander price.in
error occurred from ui correlationId; DGGJF24HJBG error from the lander price.in

Here while calculating, it should show count as 3 as a single event..
But when i use table to see entire log message, it should show entire message. so that i can take an action on the particular event based on its correlation ID IP address or or something...

0 Karma

Influencer

Ok, you can extract interested parts of the logs as chunks and then count by those chunks. Here I am excluding value of correlationId and getting other part of of logs in 2 fields and counting by those 2 two fields. If you want to preserve events then use eventstats in place of stats.

| makeresults | eval _raw="error occurred from ui correlationId; DGHVBJJ243FHG error from the lander price.in" | append [ | makeresults | eval _raw="error occurred from ui correlationId; FHGJGBJJ13FGJ error from the lander price.in" ] | append [ | makeresults | eval _raw="error occurred from ui correlationId; DGGJF24HJBG error from the lander price.in"] | rex field=_raw "(?<event_part1>.*);\s[A-Z0-9]+\s(?<event_part2>.*)" | eventstats count by event_part1, event_part2
0 Karma

Explorer

Idea is good, but need to use stats/eventstats, for every error pattrr...
I'm just trying to make it for all the global errors...
Thinking to use some commands, LIKE, Case, substr, replace

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!