Exceptions count different when compared to creati...

girishgene07 · ‎10-18-2016

Hi I am a new to splunk and need help with a query:

index=abc exception | rex ".?(?(?:\w+.)+\w*?Exception)."| stats count by exception
When I use the above query, I am getting a table of exceptions and its count listed, as below

com.system.enterprise.client.arcti.GeneralDomainCallException
java.land.NullPointerException
java.lang.RuntimeException
java.lang.reflect.InvocationTargetException

Here in this case I am getting a event count for java.land.NullPointerException as 3 events occured.
I am trying to create an event type for this particular exception(java.land.NullPointerException) to add it as a tag to a jira,

index=abc exception | rex ".?(?(?:\w+.)+\w?Exception).*"| search exception="java.lang.NullPointerException"
This above query cannot be saved as a event type, as its not accepting tubes "|"

When i try to search specifically for java.land.NullPointerException using the below query-
sourcetype=abc java.lang.NullPointerException*

I am getting an event count as 220 events occured

I am requesting some help to match the exact the event count numbers between my rex and event type query.

sundareshr · ‎10-18-2016

Try these two searches

sourcetype=abc exception | rex "(?<exception>NullPointerException)"| stats count by exception

AND

sourcetype=abc java.lang.NullPointerException*

Exceptions count different when compared to creating event types

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Exceptions count different when compared to creating event types

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25