Monitoring Splunk

New Errors that did not exist last week

subtrakt
Contributor

Say I did a bunch of changes over the weekend and wanted to see a list of any new errors.

Is there a way I can show only new errors that didn't exist from last week that are probably caused from my change?

Thanks

Tags (1)

tcottreau
Explorer

This query doesn't seem to be working for me.

I use a version of your query that looks like this and I'm using it in a form where I feed data/time fields to the earliest and latest:
index=my_index error OR failed OR severe NOT "on-error" earliest=$field1.earliest$ latest=$field1.latest$
| rex "[(?<error_type>0x8[\w\d]+)]"
| stats count AS lasthour by error_type
| appendcols [ search index=my_index error OR failed OR severe NOT "on-error" earliest=$field2.earliest$ latest=$field2.latest$
| rex "[(?<error_type>0x8[\w\d]+)]" | stats count AS prevhour by error_type ]
| eval prevhour=if(isnull(prevhour),0,prevhour)
|eval lasthour=if(isnull(lasthour),0,lasthour)
| table error_type prevhour lasthour

| where prevhour=0

I need the regular expression to create the error_type. It is very consistent and I am sure I get 100% coverage of all errors when I do this across all time.

I picked a period where I saw a spike in errors and compared it to a one-hour period exactly one week previous (this makes it much quicker).

The thing is, I take items from the list and query the one-hour period from a week earlier and I get hits. Probably half the errors I get in this report have non-zero results in the previous hour.

Suggestions would be welcome.

0 Karma

yannK
Splunk Employee
Splunk Employee

First, extract the error keywords as a field.
You can use 2 searches with different time range, combine the results with appendcols. And then add some logic to keep only the new errors.

example


search1 earliest=-1w@w latest=now | stats count AS thisweek by errorfield

| appencols [
search1 earliest=-2w@w latest=-1w@w | stats count AS lastweek by errorfield
]
| eval lastweek=if(isnull(lastweek),0,lastweek) | eval thisweek=if(isnull(thisweek),0,thisweek)

| table errorfield lastweek thisweek
| where lastweek=0

subtrakt
Contributor

Sorry, new to splunk.

If i wanted to search all the messages w/ 'critical' that exist now but did not exist last week. Can you give me an example on how that would be done? What's the best way to extract a keyword? My guess is, search the word, then click the drop down by the message, and 'extract fields'. Then what? Many Thanks.

0 Karma

tcottreau
Explorer

After quite a lot of playing around, I am unsure what use "appendcols" actually is.

The only way this will work is if every single entry in both tables are identical, which is exactly NOT the reason you want to use this.

The results I've seen so far are:

stats1 (today):
X, 1
Y, 2

stats2 (yesterday):

A, 5
B, 3
C,9

appencols produces the following
error, today, yesterday
X, 1, 5
Y, 2, 3
C,,9

which is actually pretty useless. Now, I have yesterday's count of 5 against X, rather than against A where it should be.

I don't quite understand what "appendcols" is good for except putting counts against the wrong fields. It's a bit confusing.

The worst case is that if you have items in a different order, you will get some results against the correct field and some not, just depending on the order they are in.

0 Karma

tcottreau
Explorer

Subtrakt, I know this is a bit late.

In this, you need a unique error field of some kind to do this. Without it, you would have to match on some unique text in the error.

If you look at my example below, I use a rex field to create a unique field, although, I'm not sure if it's working correctly.

You just have to add the word "critical" to search1 and search2 in the example, depending on the wording of the search.

0 Karma
Get Updates on the Splunk Community!

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...