Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extract erros from logs

haist
Explorer
‎01-27-2022 06:46 PM

Hi,

I'm new to Splunk and I would like to get top errors on a table, but the external API returns a stack tracing making it difficult to work on it.

I'm trying to make a regex that groups those errors by error code "*Return code: [<code>]*"( letting it work with other errors), than count it.

Could you help me, please? 🥺

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

haist
Explorer
‎02-02-2022 04:50 AM

Hi @gcusello, thanks for the suggestion

I used Rex to create a new field with return code, then stats to count and show similar errors

 

 

...
| rex field=Response.body.Result "(?<code>(Return code: \[\d+]|null))"
| stats first(Response.body.Result) as Logs count(code) as Events
| table Logs, Events

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 11:19 PM

Hi @haist,

if you need help in regex creation, you should share some log examples.

If instead you need help in search, you have to follow these steps:

  • identify the error conditions (e.g. in ora errors are identified by ORA9999),
  • create a new field (code) using the identified regex,
  • Use the new field to filter your logs to have only the error logs,
  • identify the relevant fields to display in the table (e.g. host, earliest, latest),
  • identify eventual aggregation fields (e.g. code),
  • create simple search like the following:
index=your_index code IN ("error1","error2","error3")
| stats values(host) AS host earliest(_time) AS earliest latest(_time) AS latest count BY code
| eval 
   earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
   latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

 Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

haist
Explorer
‎02-02-2022 04:50 AM

Hi @gcusello, thanks for the suggestion

I used Rex to create a new field with return code, then stats to count and show similar errors

 

 

...
| rex field=Response.body.Result "(?<code>(Return code: \[\d+]|null))"
| stats first(Response.body.Result) as Logs count(code) as Events
| table Logs, Events

 

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 05:37 AM

Hi @haist,

ok, I don't understand where you are taking the field "counter" that it's in teh table command but it isn't in the stats command.

Remember that after a stats command you have only the fields expressed in the stats command, in your case only "Logs" and "Events", not "counter"!

Anyway, if my answer solves your problem, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

haist
Explorer
‎02-02-2022 07:47 AM

That's true, I was generalizing and translating the names and mismatched here, thanks for attention 😀

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...