Exceptions count different when compared to creati...

girishgene07 · ‎10-18-2016

Hi I am a new to splunk and need help with a query:

index=abc exception | rex ".?(?(?:\w+.)+\w*?Exception)."| stats count by exception
When I use the above query, I am getting a table of exceptions and its count listed, as below

com.system.enterprise.client.arcti.GeneralDomainCallException
java.land.NullPointerException
java.lang.RuntimeException
java.lang.reflect.InvocationTargetException

Here in this case I am getting a event count for java.land.NullPointerException as 3 events occured.
I am trying to create an event type for this particular exception(java.land.NullPointerException) to add it as a tag to a jira,

index=abc exception | rex ".?(?(?:\w+.)+\w?Exception).*"| search exception="java.lang.NullPointerException"
This above query cannot be saved as a event type, as its not accepting tubes "|"

When i try to search specifically for java.land.NullPointerException using the below query-
sourcetype=abc java.lang.NullPointerException*

I am getting an event count as 220 events occured

I am requesting some help to match the exact the event count numbers between my rex and event type query.

sundareshr · ‎10-18-2016

Try these two searches

sourcetype=abc exception | rex "(?<exception>NullPointerException)"| stats count by exception

AND

sourcetype=abc java.lang.NullPointerException*

Exceptions count different when compared to creating event types

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!

Are you a member of the Splunk Community?

Exceptions count different when compared to creating event types

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!