Creating a table, but it shows 3 column error msg?

Khanu89 · ‎05-09-2022

I am trying to create a table which shows 3 column error msg, errorcode, and count. my current query is pulling the errorcode/msg in one column and error count individually instead of whole. Please assist.

my Current Query

My current query My current query

Current Output

Screen Shot 2022-05-09 at 8.46.04 PM.png

Expected Output

Screen Shot 2022-05-09 at 8.52.59 PM.png

VatsalJagani · ‎05-09-2022

@Khanu89 - It's actually an issue with regex (rex) extracting ErrorCode, that it is extracting ErrorCode and error message everything in a single field.

You can try extracting them separately and then you can update your stats to add the error_msg field in the groupby (or by).

I hope this helps!!!

Khanu89 · ‎05-09-2022

@VatsalJagani Thank you for your input. Can you please elaborate on how can I extract separately?

VatsalJagani · ‎05-09-2022

| rex field=_raw "%\s(?<ErrorCode>\d+)\s(?<error_msg>.*)\s"

And then you can use

| stats ..... by ErrorCode, error_msg

something like this. Regex could not be valid for all the use cases, I'm just seeing a few examples from the screenshot.

Creating a table, but it shows 3 column error msg?

chart

panel

table

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres

Are you a member of the Splunk Community?

Creating a table, but it shows 3 column error msg?

chart

panel

table

Index This | What did the zero say to the eight?

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

Now Playing: Splunk Education Summer Learning Premieres