Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to capture error messages using lookup file ?

georgear7
Communicator
‎09-09-2020 07:33 AM

I have different kinds of error messages which will be present in WebSphere SystemOut logs. So it would be difficult for me to give error message every time in my query when any new error occurs. So what i want to do is to create one lookup file, which should have all the error messages. So my query should use lookup file to look for error messages and if it's there in logs, it should shows the count of errors based on time by using timechart.

My ultimate goal is to give the error messages in lookup file instead of in my search query every time. So that this lookup file can be used anywhere. Please suggest how to create lookup file and search query for this requirement.

Sample error messages:
SRVE0190E: File not found
SRVE0255E: A WebGroup/Virtual Host has not been defined

Labels (1)
Labels
0 Karma
Reply

georgear7
Communicator
‎09-09-2020 06:47 PM

Hi @rnowitzki ,

Thanks for your reply. My lookup file should have known error messages and i want to add new error messages in future instead of mentioning in my query if it occurs.

 

and there are many unwanted error messages which will be having "ERROR" keyword. i don't want to worry about this. So i want to keep only the required error messages in my lookup file.

 

@richgalloway Thanks for your suggestion. Let me try that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2020 09:42 AM

Assuming your lookup file is called errors.csv and has a single field called "Error" in it, then this query should get you started.

index=foo [ | inputlookup errors.csv | return 1000 $Error ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rnowitzki
Builder
‎09-09-2020 08:26 AM

Hi @georgear7 ,

I don't get your requirement 100%.

You want to have all error messages that ever appeared in your Websphere environment in that lookup, or all error messages that might potentially appear? (from IBM documentation?)

I guess the Logs have something like "ERROR" in it, so it should be possible to identify all Error Events. And you should be able to extract the error id (like SRVE0190E) on which you could base your timechart on...
But not sure if that is what you need.

BR
Ralph


--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...