Group Events with pattern

Thulasinathan_M

Hi Splunk Experts,
I've been trying to group "WARN" logs, but they have a pattern (Dynamic/ Argument values) in them. I'm aware of rex, but I don't want to manually rex for 1000s of such different events. I've even tried cluster, but that doesn't suits well my usecase. Any assistance would be much appreciated.!! Thanks in advance.

2024-08-31 12:34:56 WARN  ConfigurationLoader - Deprecated configuration detected in path /xx/yy/zz. Please update your settings to use the latest configuration options.
2024-08-31 12:34:56 WARN  ConfigurationLoader - Deprecated configuration detected in path /aa/dd/jkl. Please update your settings to use the latest configuration options.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 12.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 21.9 seconds. Query: SELECT * FROM contacts WHERE contact_id > '252’.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 9.5 seconds. Query: SELECT * FROM users WHERE user_id = '123024001'.
2024-08-31 13:45:10 WARN  MemoryMonitor - High memory usage detected: 85% of allocated memory is in use. Consider increasing the available memory.
2024-08-31 13:45:10 WARN  MemoryMonitor - High memory usage detected: 58% of allocated memory is in use. Consider increasing the available memory.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 32.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.

I wish to group them something like below to group similar events!!

WARN ConfigurationLoader Deprecated configuration detected in path. Please update your settings to use the latest configuration options	2
WARN QueryExecutor Query execution time exceeded the threshold: . Query:	4
WARN MemoryMonitor High memory usage detected: of allocated memory is in use. Consider increasing the available memory.	2

PickleRick

If you want Splunk to "guess", you might look at MLTK.

richgalloway

Have you tried the "Patterns" tab? That can show patterns in your results if you have enough events for Splunk to analyze.

If you have a finite set of events then you may be able to group them using a case function and the stats command.

...
| eval warn = case(match(_raw, "ConfigurationLoader - Deprecated configuration detected in path .*?. Please update your settings to use the latest configuration options.", "ConfigurationLoader - Deprecated configuration detected in path. Please update your settings to use the latest configuration options",
    match(_raw, "QueryExecutor - Query execution time exceeded the threshold .*", "QueryExecutor - Query execution time exceeded the threshold.  Query:",
    match(_raw, "MemoryMonitor - High memory usage detected: .*? of allocated memory is in use. Consider increasing the available memory.", "MemoryMonitor - High memory usage detected: of allocated memory is in use. Consider increasing the available memory.",
    1==1, _raw)
| stats count by warn

Of course, this requires you to know which warnings are of interest and becomes impractical when there is a large number of them.

---
If this reply helps you, Karma would be appreciated.

Group Events with pattern

other

Monitoring Postgres with OpenTelemetry

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor