Monitoring Splunk

how to prepare table of exceptions and its count occurred in last 2 days

bipin_tiwari
New Member

Hi ,
Since very long time I am struggling to display a table of list of all exception raised by my application in last few days (as specified) .

I referred several Splunk answers on this subject but it didn't prove to be helpful. I will be very grateful if Splunk support team can help me in achieving my objective . I also wish to tell that when I perform search I find many fields like host, source , sourcetype , date_minute, date_month, date_mday , date_zone but I dont see the field exception or error however exceptions occurred and recorded in Splunk in given period of time. Is there anything going wrong which is why searchhead not extracting exception or error fields from events . Please assist with detailed explanation and splunk query.

I want output in following format
Exception Today Yesterday 27 Jan 26 Jan
NullPointer 100 80 89 39
ArrayIndexOutOfBound 8 7 0 0
InvalidCartException 0 0 40 7
AuthenticationFailed 5 5 5 2

I am also fine if table is displayed in following format . where day1 is today , day2 is yesterday , day3 is day before yesterday and so on.

Exception day1 day2 day3 day4
NullPointer 100 80 89 39
ArrayIndexOutOfBound 8 7 0 0
InvalidCartException 0 0 40 7
AuthenticationFailed 5 5 5 2

After displaying above table in Statistics tab I want to draw the Pie chart for this table in Visualization tab.

Thanks
Bipin

Tags (2)
0 Karma

renjith_nair
Legend

@bipin_tiwari ,

Below search should give you the expected outout if the Exception field is available. You may adjust the earliest value according to your requirement.

"your base search" earliest=-4d@d |eval date=strftime(_time,"%Y-%m-%d")|chart count over Exception  by date

If the field exception is not extracted by default, please provide some sample logs(anonymize confidential data)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

bipin_tiwari
New Member

Hi @renjith.nair

Search is working and returning more than 1.5 lakh events but expected outcome (table and chart) still not coming .
Following are some logs extracted from source came in search result. here UnknownIdentifierException exception is raised again and again so I do expect that this exception should come in table under Statistics tab but its Statistics tab is showing no result however Events tab is having more than 1.5 lakh event .

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190100

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190100
INFO | jvm 1 | main | 2019/01/29 14:28:58.379 | 2019-01-29 14:28:58.351ERROR [hybrisHTTP9] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190100

[de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190363
INFO | jvm 1 | main | 2019/01/29 14:29:03.694 | 2019-01-29 14:29:03.614ERROR [hybrisHTTP29] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190363

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190373
INFO | jvm 1 | main | 2019/01/29 14:29:04.499 | 2019-01-29 14:29:04.470ERROR [hybrisHTTP76] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190373

[RestHandlerExceptionResolver] [] Translating exception [de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException]: no valid account found for this uid :1190398
INFO | jvm 1 | main | 2019/01/29 14:29:06.206 | 2019-01-29 14:29:06.171ERROR [hybrisHTTP121] [RestHandlerExceptionResolver] [] de.hybris.platform.servicelayer.exceptions.UnknownIdentifierException: no valid account found for this uid :1190398

0 Karma

renjith_nair
Legend

@bipin_tiwari , do you have the Exception field extracted? Try and see if you get any result in statistics

index="your index" |stats count by Exception
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

bipin_tiwari
New Member

@renjith.nair , index="hbr-itv" |stats count by Exception , didn't return any result . however in in Events tab I can see millions of events.

0 Karma

renjith_nair
Legend

Thats probably because, you dont have the field name Exception in your events. Try extracting this field and do the stats.

For e.g.

index="hbr-itv" |rex field=_raw "exceptions\.(?<Exception>\w+)"|stats count by Exception

If the above gives you stats tab, then try

  index="hbr-itv" |rex field=_raw "exceptions\.(?<Exception>\w+)"
  |eval date=strftime(_time,"%Y-%m-%d")|chart count over Exception  by date
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

bipin_tiwari
New Member

@renjith.nair , is there any way and to have a direct call and discuss the issue .

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...