Solved: Re: Exceptions that never happened before

See0 · ‎03-16-2023

Hello guys,

I will try to describe my problem as good as i can. I want to get some raport/alert when a new exception appears but that never happened before.

let say that i have 15 exceptions that happened before like: java.lang.NullPointer, java.lang.IllegalStateException.. etc.

i want to get an alert when a “new” exception appear that never appeared before.

Is that possible?

bowesmana · ‎03-16-2023

Yes, you can. You will need to keep a record of exceptions that you have seen before in a lookup file, so that when you run a search you can then lookup against that file.

Here is some very pseudo SPL that can be used, but you will need to tailor it to your data and use case.

index=my_index *Exception*
``` Work out what is your exception here using some eval statemsnt or field extractions ```
| eval ExceptionName=...
| lookup my_previous_exceptions.csv ExceptionName OUTPUT ExceptionName as FoundExceptionName
| where isnull(FoundExceptionName)
``` Now you have events that contain new exceptions, ```

``` you can finally merge the new and existing exceptions that new Exception to your lookup ```
| fields ExceptionName _time
| outputlookup append=t my_previous_exceptions.csv

View solution in original post

bowesmana · ‎03-16-2023

Yes, you can. You will need to keep a record of exceptions that you have seen before in a lookup file, so that when you run a search you can then lookup against that file.

Here is some very pseudo SPL that can be used, but you will need to tailor it to your data and use case.

index=my_index *Exception*
``` Work out what is your exception here using some eval statemsnt or field extractions ```
| eval ExceptionName=...
| lookup my_previous_exceptions.csv ExceptionName OUTPUT ExceptionName as FoundExceptionName
| where isnull(FoundExceptionName)
``` Now you have events that contain new exceptions, ```

``` you can finally merge the new and existing exceptions that new Exception to your lookup ```
| fields ExceptionName _time
| outputlookup append=t my_previous_exceptions.csv

See0 · ‎03-17-2023

And i dont really understand the eval ExceptionName=…

what should i put here?

@bowesmana

bowesmana · ‎03-17-2023

So, depending on your data, you will have an event containing some information containing the text of the Exception, whether it's a full stack trace or just the exception name, but let's assume that your Splunk event contains

bla bla bla java.lang.NullPointerException bla bla bla

then unless you have a field in the data that has the name of the exception you need to create a field, either through an eval statement or a rex field extraction

If you don't have a field in the data, then you would use a rex statement, e.g. one of these would extract either the simple name or the full class name

| rex "(\w+\.)+(?<ExceptionName1>.*Exception) "
| rex "(?<ExceptionName2>(\w+\.)+\w+Exception) "

an eval statement could be used to manipulate an existing field.

All of this will depend on what your data looks like though.

See0 · ‎03-18-2023

@bowesmana
Thank you a lot for your time, could tou show me how the las version of the search should look like with the “rex”

bowesmana · ‎03-20-2023

You will have to show what you are currently doing, where your data exists and the results you are getting to get further help. I can't provide direct searches without knowing your environment.

See0 · ‎03-21-2023

I have message you.

See0 · ‎03-17-2023

Could you explain me how do i do the backup file?

Like an example..

im pretty new.

bowesmana · ‎03-20-2023

I don't know what you mean by a backup file in Splunk context

See0 · ‎03-28-2023

I have write you in private.

bowesmana · ‎03-28-2023

Please post the examples here, so any solutions can help others. I do not give answers through private messages.

Thanks.

See0 · ‎04-24-2023

Could you help me?

bowesmana · ‎04-30-2023

What exactly are you stuck with?

See0 · ‎05-01-2023

Hello, even if i make the search wiht the data that i have is showing me all the exception, is not excluding the exception from the .csv.

How exactly should i make the search to get only the exception that are not in the file?

bowesmana · ‎05-01-2023

Please post your current search and an example of the contents of the csv

See0 · ‎05-01-2023

Hi,

Currently im trying to search against this file :

index="doc" Exception error NOT [ | inputlookup KnownException.csv]

My csv file looks like this(140 exceptions):

My env looks like this:

When i run this query i want to extract only the exceptions that are not in the file. Somehow this is not happening and is showing me even the exceptions that are present in the file.

I want to full exclude all the exceptions from the file.

bowesmana · ‎05-02-2023

What is the column name of the field in your exception CSV?

Your subsearch will translate to

( ( Field = A) OR (Field = B) OR (Field = C) )

where Field is the name of the column in your CSV and therefore MUST also be a field in your data. If it is not a field in your data, then you will be looking for event that do NOT contain those Fields, which will be everything.

You can also add this to your subsearch

| return 200 $Field

Where 'Field' is the name of your column in the CSV and it will return just the text of the exception in the csv.

See0 · ‎05-02-2023

Hello, the column is called "exception" and i don't have that column extracted as a field?

What you recommend?

And also how should look the final search ?

Thank you so much for the time and help.

bowesmana · ‎05-03-2023

Have you tried my second suggestion?

See0 · ‎04-11-2023

Those are my type of exceptions.

How to get a report/alert when a new exception happens that never happened before?

distributed search

forwarder management

indexer clustering

indexing performance

monitoring console

proactive Splunk component monitoring

resource usage

search head clustering

search performance

smartstore

splunkd

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!