Dashboards & Visualizations

How to group events with similar field value

deepaksn1214
Engager

I want to group events with similar pattern of error messages .  This is how the data looks like

Message|Count
Error replaying queued events: undefined                                                1
initConfig is missing!                                                                                           1
"Error loading https://www.example.com/123 timeTaken=1 ms"  1
"Error loading https://www.example.com/123 timeTaken=2 ms"  1

Expected Output
Message|Count
Error replaying queued events: undefined 1
initConfig is missing!                                            1
"Script Load Error"                                                2

This is the query i am using

 | eval Message.msg=case(like(Message.msg,"Error loading https://%"), "Script loading Error", 1=1, Message.msg) | stats count by Message.msg

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@deepaksn1214 

Your existing Message.msg contains a quote before the Error, so you need to include that in the like statement

| eval Message.msg=case(like(Message.msg,"\"Error loading https://%"), "Script loading Error", 1=1, Message.msg) 
| stats count by Message.msg

 See the \" before the Error

Hope this helps

 

0 Karma

deepaksn1214
Engager

@bowesmana 

Thanks for looking into this. 

Tried it with the "\" and it dint work. 

I was trying different things , one thing I noticed is, if I change the field Message.msg in the like statement to a static string like "Error loading something" I get a single resultset. Do you think it has something to do ? 

This is the query I am using 

index="fe_logging" logType=ERROR userId=TrackStar | eval Message.msg=case(like(Message.msg,"\"Error loading%"), "Script loading Error") | stats count by Message.msg

0 Karma

bowesmana
SplunkTrust
SplunkTrust

When using field names in eval statements, that contain non standard characters, you need to surround your field name with single quotes

 

index="fe_logging" logType=ERROR userId=TrackStar 
| eval Message.msg=case(like('Message.msg',"\"Error loading%"), "Script loading Error")
| stats count by Message.msg

See the extra quotes surrounding 

 

'Message.msg'

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...