Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to capture error messages using lookup file ?

georgear7
Communicator
‎09-09-2020 07:33 AM

I have different kinds of error messages which will be present in WebSphere SystemOut logs. So it would be difficult for me to give error message every time in my query when any new error occurs. So what i want to do is to create one lookup file, which should have all the error messages. So my query should use lookup file to look for error messages and if it's there in logs, it should shows the count of errors based on time by using timechart.

My ultimate goal is to give the error messages in lookup file instead of in my search query every time. So that this lookup file can be used anywhere. Please suggest how to create lookup file and search query for this requirement.

Sample error messages:
SRVE0190E: File not found
SRVE0255E: A WebGroup/Virtual Host has not been defined

Labels (1)
Labels
0 Karma
Reply

georgear7
Communicator
‎09-09-2020 06:47 PM

Hi @rnowitzki ,

Thanks for your reply. My lookup file should have known error messages and i want to add new error messages in future instead of mentioning in my query if it occurs.

 

and there are many unwanted error messages which will be having "ERROR" keyword. i don't want to worry about this. So i want to keep only the required error messages in my lookup file.

 

@richgalloway Thanks for your suggestion. Let me try that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2020 09:42 AM

Assuming your lookup file is called errors.csv and has a single field called "Error" in it, then this query should get you started.

index=foo [ | inputlookup errors.csv | return 1000 $Error ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rnowitzki
Builder
‎09-09-2020 08:26 AM

Hi @georgear7 ,

I don't get your requirement 100%.

You want to have all error messages that ever appeared in your Websphere environment in that lookup, or all error messages that might potentially appear? (from IBM documentation?)

I guess the Logs have something like "ERROR" in it, so it should be possible to identify all Error Events. And you should be able to extract the error id (like SRVE0190E) on which you could base your timechart on...
But not sure if that is what you need.

BR
Ralph


--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...