- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Application error dashboard
Hi
I need to prepare a dashboard which shows the list of applications and the error count for past 7 days, i need to show in table format with the application that has highest number of errors on top. May i know how can i achieve that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for your quick reply. Yes in my company there are around 100 applications installed on a single Physical server. THe only way to identify the application name is based on the app log file name. As all errors specific to app will be written into a specific log file. BUt all the logs are under one folder structure on the server. So how can i prepare a dashboard with the app name and error count and sort the list based on the highest errors.
Here is the example entry for event in splunk
[Jul 27, 2016 02:55:38] ERROR [] [VehicleDAO] TimeoutException from callVINtelligenceWS method call : null
date_mday = 27 date_month = july host = ods010adlrp04 source = /clocal/www/logs/WAS/WebSphere7/cscsales.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can i sort and show top 20 applications in this dashboard?
i tired this but id didnt work
source = /clocal/www/logs/WAS/WebSphere7/*.log error | stats count AS ERR_CNT by source | sort limit=20 ERR_CNT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to use the top command along with defining the field error.. See my comment above, I would work on extracting the app name then extracting the error name, then use the top command to order them from greatest to smallest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @saikalyani9, weclome to Splunk answers
To make a dashboard you will need to define some fields then use them in your query.. First you will need to define what an application is, then you will need to define what is an error..
By application, I'm assuming you work in a company who has multiple applications. I would look at the events and see if each application is unique or has the name in the event somewhere.. If so then you will need to write a regular expression to make that a field.. You will then need to define what is an error. Are errors anything other than a 200? Or do you consider only 404's error?
Once both these fields are defined, you will then need to write a query like this
index=unleashed Application=* | timechart count by Error
Application will be the field which you defined as the application and Error will be the field you defined as an error. The timechart command will make a visual representation of your data. Give us a sample of your logs and I can help you write a regular expression to extract these fields from your logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thanks for your quick reply. Yes in my company there are around 100 applications installed on a single Physical server. THe only way to identify the application name is based on the app log file name. As all errors specific to app will be written into a specific log file. BUt all the logs are under one folder structure on the server. So how can i prepare a dashboard with the app name and error count and sort the list based on the highest errors.
Here is the example entry for event in splunk
[Jul 27, 2016 02:55:38] ERROR [] [VehicleDAO] TimeoutException from callVINtelligenceWS method call : null
date_mday = 27 date_month = july host = ods010adlrp04 source = /clocal/www/logs/WAS/WebSphere7/cscsales.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Today i prepared a simple dash board with application log files names and the count corresponding to the log file.
That dashbaord looks some thing like this
Source Count
/clocal/www/logs/WAS/WebSphere7/dcsession.log 23123
/clocal/www/logs/WAS/WebSphere7/sales.common.log 345345
/clocal/www/logs/WAS/WebSphere7/voim.log 4534
/clocal/www/logs/WAS/WebSphere7/dipap.log 343
/clocal/www/logs/WAS/WebSphere7/dcws.log 3453
If i need to show just the application name instead of entire path with log file name in dashboard how can i do that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to extract the field using a regular expression then use that field in your query. What's the name of the application below? Is it dcsession, sales, voim etc..?
If so then your regex will look like this
(?P<AppName>(?<=WebSphere7\/)\w+(?=\.common|\.log))
Go to your Fields section, Extract New Fields, I'd prefer to write the regular expression myself, then paste this regex in, then review it, then save
/clocal/www/logs/WAS/WebSphere7/dcsession.log 23123
/clocal/www/logs/WAS/WebSphere7/sales.common.log 345345
/clocal/www/logs/WAS/WebSphere7/voim.log 4534
/clocal/www/logs/WAS/WebSphere7/dipap.log 343
/clocal/www/logs/WAS/WebSphere7/dcws.log 3453
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
assuming each log is a different application, use some regex to pull the filename from the source field to a new field then use eval or a lookup to give more friendly application names.
https://answers.splunk.com/answers/268995/how-to-extract-filename-form-source-field.html
