Hi,
I want to create a dashboard which will show error reporting within the log file:
[2011-09-12 14:13:00:605 GMT][com.abc.rest.Security][http-8080-Processor15] ERROR Unable to decrypt token [abc.com=3502639832.36895.0000; path=/] due to error: Input length must be multiple of 16 when decrypting with padded cipher
[2011-09-12 14:13:00:608 GMT][com.abc.filters.AuthenticationFilter][http-8080-Processor15] DEBUG ValidAuthToken: false
[2011-09-13 16:43:40:134 GMT][com.abc.PerfManager][http-8080-Processor13] ERROR Operation Failed: GET_ACCOUNT_ORDER [Status Code: 0150 Message: ACCESS_DENIED]
[2011-09-13 16:43:40:137 GMT][com.abc.rest.ResolvePackage][http-8080-Processor13] WARN MCE error occurred [StatusCode: 0150]
The above errors are occurring at different times more than once & I want to count those all & show pie chart of all these errors with their count. Basically, these errors could be anything which starts with ERROR.
I should also get the Top10 warnings in the logs with their count.
How could I categorize different errors so that I can show it in dashboard???
I couldn't find a good way to implement it in Splunk. Can any one help me out on how to implement it in splunk?
Thanks!
"Event Types" are your friend 🙂
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes
We cannot tell you EXACTLY how to resolve your issue without knowing more exact details about your errors. How are errors identified? What level of detail do you want when extracting error information? What issues are you currently running into, extracting the error information or creating the dashboard, or...
If errors are identified by for instance what's between "ERROR " and " [", just create a field extraction that will handle that.
index=abc | rex "ERROR (?<error>.+?) \["
This will give you various error types as values in the "error" field. If you want to get the top 10 error types, use:
index=abc | rex "ERROR (?<error>.+?) \[" | top 10 error
If you want permanent extractions, use the Interactive Field Extractor or create your own in props.conf / transforms.conf.
Hi,
Thanks for the reply. I defined different event types as shown below:
[Auth_Error_Eventtype]
search = "index=abc Auth error"
Conn_Error_Eventtype
search = "index=abc error while connecting"
Here, I've to specify each & every search string for specific errors. If any new error occurs tomorrow, then it'll not be captured here as I'll be going through only these defined list of eventtypes.
I'm sure this is a pretty common issue with any type of error reporting. Can you tell me exactly how to resolve this issue?
Thanks!
"Event Types" are your friend 🙂
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes