Exceptions count different when compared to creati...

girishgene07 · ‎10-18-2016

Hi I am a new to splunk and need help with a query:

index=abc exception | rex ".?(?(?:\w+.)+\w*?Exception)."| stats count by exception
When I use the above query, I am getting a table of exceptions and its count listed, as below

com.system.enterprise.client.arcti.GeneralDomainCallException
java.land.NullPointerException
java.lang.RuntimeException
java.lang.reflect.InvocationTargetException

Here in this case I am getting a event count for java.land.NullPointerException as 3 events occured.
I am trying to create an event type for this particular exception(java.land.NullPointerException) to add it as a tag to a jira,

index=abc exception | rex ".?(?(?:\w+.)+\w?Exception).*"| search exception="java.lang.NullPointerException"
This above query cannot be saved as a event type, as its not accepting tubes "|"

When i try to search specifically for java.land.NullPointerException using the below query-
sourcetype=abc java.lang.NullPointerException*

I am getting an event count as 220 events occured

I am requesting some help to match the exact the event count numbers between my rex and event type query.

sundareshr · ‎10-18-2016

Try these two searches

sourcetype=abc exception | rex "(?<exception>NullPointerException)"| stats count by exception

AND

sourcetype=abc java.lang.NullPointerException*

Exceptions count different when compared to creating event types

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation