Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract erros from logs

haist
Explorer
‎01-27-2022 06:46 PM

Hi,

I'm new to Splunk and I would like to get top errors on a table, but the external API returns a stack tracing making it difficult to work on it.

I'm trying to make a regex that groups those errors by error code "*Return code: [<code>]*"( letting it work with other errors), than count it.

Could you help me, please? 🥺

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

haist
Explorer
‎02-02-2022 04:50 AM

Hi @gcusello, thanks for the suggestion

I used Rex to create a new field with return code, then stats to count and show similar errors

 

 

...
| rex field=Response.body.Result "(?<code>(Return code: \[\d+]|null))"
| stats first(Response.body.Result) as Logs count(code) as Events
| table Logs, Events

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-27-2022 11:19 PM

Hi @haist,

if you need help in regex creation, you should share some log examples.

If instead you need help in search, you have to follow these steps:

  • identify the error conditions (e.g. in ora errors are identified by ORA9999),
  • create a new field (code) using the identified regex,
  • Use the new field to filter your logs to have only the error logs,
  • identify the relevant fields to display in the table (e.g. host, earliest, latest),
  • identify eventual aggregation fields (e.g. code),
  • create simple search like the following:
index=your_index code IN ("error1","error2","error3")
| stats values(host) AS host earliest(_time) AS earliest latest(_time) AS latest count BY code
| eval 
   earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
   latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

 Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

haist
Explorer
‎02-02-2022 04:50 AM

Hi @gcusello, thanks for the suggestion

I used Rex to create a new field with return code, then stats to count and show similar errors

 

 

...
| rex field=Response.body.Result "(?<code>(Return code: \[\d+]|null))"
| stats first(Response.body.Result) as Logs count(code) as Events
| table Logs, Events

 

 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 05:37 AM

Hi @haist,

ok, I don't understand where you are taking the field "counter" that it's in teh table command but it isn't in the stats command.

Remember that after a stats command you have only the fields expressed in the stats command, in your case only "Logs" and "Events", not "counter"!

Anyway, if my answer solves your problem, please accept it for the other people of Community, otherwise, tell me how can I help you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

haist
Explorer
‎02-02-2022 07:47 AM

That's true, I was generalizing and translating the names and mismatched here, thanks for attention 😀

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...