Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to capture error messages using lookup file ?

georgear7
Communicator
‎09-09-2020 07:33 AM

I have different kinds of error messages which will be present in WebSphere SystemOut logs. So it would be difficult for me to give error message every time in my query when any new error occurs. So what i want to do is to create one lookup file, which should have all the error messages. So my query should use lookup file to look for error messages and if it's there in logs, it should shows the count of errors based on time by using timechart.

My ultimate goal is to give the error messages in lookup file instead of in my search query every time. So that this lookup file can be used anywhere. Please suggest how to create lookup file and search query for this requirement.

Sample error messages:
SRVE0190E: File not found
SRVE0255E: A WebGroup/Virtual Host has not been defined

Labels (1)
Labels
0 Karma
Reply

georgear7
Communicator
‎09-09-2020 06:47 PM

Hi @rnowitzki ,

Thanks for your reply. My lookup file should have known error messages and i want to add new error messages in future instead of mentioning in my query if it occurs.

 

and there are many unwanted error messages which will be having "ERROR" keyword. i don't want to worry about this. So i want to keep only the required error messages in my lookup file.

 

@richgalloway Thanks for your suggestion. Let me try that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2020 09:42 AM

Assuming your lookup file is called errors.csv and has a single field called "Error" in it, then this query should get you started.

index=foo [ | inputlookup errors.csv | return 1000 $Error ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

rnowitzki
Builder
‎09-09-2020 08:26 AM

Hi @georgear7 ,

I don't get your requirement 100%.

You want to have all error messages that ever appeared in your Websphere environment in that lookup, or all error messages that might potentially appear? (from IBM documentation?)

I guess the Logs have something like "ERROR" in it, so it should be possible to identify all Error Events. And you should be able to extract the error id (like SRVE0190E) on which you could base your timechart on...
But not sure if that is what you need.

BR
Ralph


--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Top