Solved: Get stats by error type

allladin101 · ‎02-18-2015

Hi,

I am trying to classify error messages based on a substring in the error message. Say suppose there are 10 errors, 3 of them have the substring "sever not reponding" to be shown in the stats as -'server error' and 5 have the substring "Timed Out" - to be shown in the stats as 'Time out error' and rest can be classified as 'others'.

Here is how i want to see the result:

error_type count

server error 3
Time out error 5
others 2

Can somebody help.

I have this basic query as of now:

index=whatever ERROR-XXXX action=* earliest=-10d@d latest=now|eval error=split(action,"error:")|eval error_type=mvindex(error,1)|stats count by error_type

above query does not work for me. 😞

pradeepkumarg · ‎02-18-2015

index=whatever ERROR-XXXX action=* earliest=-10d@d latest=now | eval ERROR_TYPE= if(searchmatch("sever not reponding"), "Server Error", (if(searchmatch("Timed Out"),"Timed Out Error", "OTHER")))) | stats count by ERROR_TYPE

View solution in original post

pradeepkumarg · ‎02-18-2015

index=whatever ERROR-XXXX action=* earliest=-10d@d latest=now | eval ERROR_TYPE= if(searchmatch("sever not reponding"), "Server Error", (if(searchmatch("Timed Out"),"Timed Out Error", "OTHER")))) | stats count by ERROR_TYPE

Get stats by error type

error_type count

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Get stats by error type

error_type count

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions