Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to capture error messages using lookup file ?

georgear7
Communicator
‎09-09-2020 07:33 AM

I have different kinds of error messages which will be present in WebSphere SystemOut logs. So it would be difficult for me to give error message every time in my query when any new error occurs. So what i want to do is to create one lookup file, which should have all the error messages. So my query should use lookup file to look for error messages and if it's there in logs, it should shows the count of errors based on time by using timechart.

My ultimate goal is to give the error messages in lookup file instead of in my search query every time. So that this lookup file can be used anywhere. Please suggest how to create lookup file and search query for this requirement.

Sample error messages:
SRVE0190E: File not found
SRVE0255E: A WebGroup/Virtual Host has not been defined

Labels (1)
Labels
0 Karma
Reply

georgear7
Communicator
‎09-09-2020 06:47 PM

Hi @rnowitzki ,

Thanks for your reply. My lookup file should have known error messages and i want to add new error messages in future instead of mentioning in my query if it occurs.

 

and there are many unwanted error messages which will be having "ERROR" keyword. i don't want to worry about this. So i want to keep only the required error messages in my lookup file.

 

@richgalloway Thanks for your suggestion. Let me try that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2020 09:42 AM

Assuming your lookup file is called errors.csv and has a single field called "Error" in it, then this query should get you started.

index=foo [ | inputlookup errors.csv | return 1000 $Error ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rnowitzki
Builder
‎09-09-2020 08:26 AM

Hi @georgear7 ,

I don't get your requirement 100%.

You want to have all error messages that ever appeared in your Websphere environment in that lookup, or all error messages that might potentially appear? (from IBM documentation?)

I guess the Logs have something like "ERROR" in it, so it should be possible to identify all Error Events. And you should be able to extract the error id (like SRVE0190E) on which you could base your timechart on...
But not sure if that is what you need.

BR
Ralph


--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...