Re: HTTP error table

Khanu89 · ‎05-09-2022

I am trying to create a table which shows 3 column error msg, errorcode, and count. my current query is pulling the errorcode/msg in one column and error count individually instead of whole. Please assist.

my Current Query

My current query

Current Output

Expected Output

VatsalJagani · ‎05-09-2022

@Khanu89 - It's actually an issue with regex (rex) extracting ErrorCode, that it is extracting ErrorCode and error message everything in a single field.

You can try extracting them separately and then you can update your stats to add the error_msg field in the groupby (or by).

I hope this helps!!!

Khanu89 · ‎05-09-2022

@VatsalJagani Thank you for your input. Can you please elaborate on how can I extract separately?

VatsalJagani · ‎05-09-2022

| rex field=_raw "%\s(?<ErrorCode>\d+)\s(?<error_msg>.*)\s"

And then you can use

| stats ..... by ErrorCode, error_msg

something like this. Regex could not be valid for all the use cases, I'm just seeing a few examples from the screenshot.

Creating a table, but it shows 3 column error msg?

chart

panel

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?