Thanks for responding, this has gotten me much closer and this is helping me to understand the correct usage of spath and rex. THe piechart is showing up, but I don't quite understand what I'm getting. THe pieces of the pie seem to be divided and labeled by time or date (depending on search time period). I'm looking to replace that with the actual Detail.error.message.message. Is this possible?

Thank you,

I have attached screenshots.

https://imgur.com/AGf3Sgb

https://imgur.com/bya90Us

Oh, you need a pie chart! Then change timechart to just chart and you should be good to go.

@DalJeanis - When using "chart" as opposed to "timechart", I receive a No Results Found. This is on the same search criteria.

index="ips_snaplogic""postsales" lvl="ERROR"| spath| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| chart count BY msg

Also, when I use the " | table msg | chart count by msg" . - I get a message instructing me to use verbose. This gives me Events, but no Chart says "No results found."

index="ips_snaplogic""postsales" lvl="ERROR"| spath| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| table msg | chart count by msg

I've looked around, but I see no reason why I should receive these messages.

Thanks again for everything.

Thanks again for the response. Is there any reason I would get results for this search:

index="ips_snaplogic""postsales" lvl="ERROR"| spath| rex mode=sed "s/.*{/{/"
| spath output=msg path=Detail.error.message.message
| timechart count by msg

...but when I change timechart to chart I get "No results found"?

I can't find anything. I've been looking for any thing on chart, but found no reason for this.

Thanks again

Hey @zeroCalm 

One of the reason why the results are coming for count and not for timechart is because the timechart must not be pointing to correct field for _time. You can override it by converting your time field to splunk time format and pass to _time.

Ex: eval formatted_time =strptime(you_time_field_value,"%Y-%m-%dT%H:%M:%S") | eval _time = formatted_time

Posting it as it might help others 🙂

@zerocalm - Start off by NOT feeding it to a pie chart. Just look at the data that is left after you extract the JSON.

Cut the data down to ONLY whatever you want the pie chart to show. If you are wanting the count by msg, then all you need is |table msg then | chart count by msg.

Okay, |table msg is redundant if it's immediately followed by that chart command, but I'm teaching a thought process here. Look at the data. Format the data. Get rid of everything that isn't the data you want.

In this case, the message is crazy long to put in a pie chart. In the example data, which of these is your error message?

Upsert failed. 

Error Message: Upsert failed. 

Error Message: Upsert failed. First exception on row 0; first error: REQUIRED_FIELD_MISSING

Error Message: Upsert failed. First exception on row 0; first error: REQUIRED_FIELD_MISSING, Required fields are missing: [LastName]: [LastName]\n\n

Use this to look at the top 5 messages and see what part of them you really need.

| stats count by msg
| sort 5 - count

or its equivalent

| top 5 msg

Figure out what part of message you want to use as the title for the pie slice, then we can get that extracted and finish your viz.