Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract erros from logs

haist
Explorer
‎01-27-2022 06:46 PM

Hi,

I'm new to Splunk and I would like to get top errors on a table, but the external API returns a stack tracing making it difficult to work on it.

I'm trying to make a regex that groups those errors by error code "*Return code: [<code>]*"( letting it work with other errors), than count it.

Could you help me, please? 🥺

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

haist
Explorer
‎02-02-2022 04:50 AM

Hi @gcusello, thanks for the suggestion

I used Rex to create a new field with return code, then stats to count and show similar errors

 

 

...
| rex field=Response.body.Result "(?<code>(Return code: \[\d+]|null))"
| stats first(Response.body.Result) as Logs count(code) as Events
| table Logs, Events

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 11:19 PM

Hi @haist,

if you need help in regex creation, you should share some log examples.

If instead you need help in search, you have to follow these steps:

  • identify the error conditions (e.g. in ora errors are identified by ORA9999),
  • create a new field (code) using the identified regex,
  • Use the new field to filter your logs to have only the error logs,
  • identify the relevant fields to display in the table (e.g. host, earliest, latest),
  • identify eventual aggregation fields (e.g. code),
  • create simple search like the following:
index=your_index code IN ("error1","error2","error3")
| stats values(host) AS host earliest(_time) AS earliest latest(_time) AS latest count BY code
| eval 
   earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
   latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

 Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

haist
Explorer
‎02-02-2022 04:50 AM

Hi @gcusello, thanks for the suggestion

I used Rex to create a new field with return code, then stats to count and show similar errors

 

 

...
| rex field=Response.body.Result "(?<code>(Return code: \[\d+]|null))"
| stats first(Response.body.Result) as Logs count(code) as Events
| table Logs, Events

 

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 05:37 AM

Hi @haist,

ok, I don't understand where you are taking the field "counter" that it's in teh table command but it isn't in the stats command.

Remember that after a stats command you have only the fields expressed in the stats command, in your case only "Logs" and "Events", not "counter"!

Anyway, if my answer solves your problem, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

haist
Explorer
‎02-02-2022 07:47 AM

That's true, I was generalizing and translating the names and mismatched here, thanks for attention 😀

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...