Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group Events with pattern

Thulasinathan_M
Contributor
‎08-31-2024 10:05 AM

Hi Splunk Experts,
I've been trying to group "WARN" logs, but they have a pattern (Dynamic/ Argument values) in them. I'm aware of rex, but I don't want to manually rex for 1000s of such different events. I've even tried cluster, but that doesn't suits well my usecase. Any assistance would be much appreciated.!! Thanks in advance.

2024-08-31 12:34:56 WARN  ConfigurationLoader - Deprecated configuration detected in path /xx/yy/zz. Please update your settings to use the latest configuration options.
2024-08-31 12:34:56 WARN  ConfigurationLoader - Deprecated configuration detected in path /aa/dd/jkl. Please update your settings to use the latest configuration options.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 12.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 21.9 seconds. Query: SELECT * FROM contacts WHERE contact_id > '252’.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 9.5 seconds. Query: SELECT * FROM users WHERE user_id = '123024001'.
2024-08-31 13:45:10 WARN  MemoryMonitor - High memory usage detected: 85% of allocated memory is in use. Consider increasing the available memory.
2024-08-31 13:45:10 WARN  MemoryMonitor - High memory usage detected: 58% of allocated memory is in use. Consider increasing the available memory.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 32.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.

 
I wish to group them something like below to group similar events!!

WARN  ConfigurationLoader Deprecated configuration detected in path. Please update your settings to use the latest configuration options

 2

WARN  QueryExecutor Query execution time exceeded the threshold: . Query:

 4

WARN  MemoryMonitor High memory usage detected: of allocated memory is in use. Consider increasing the available memory.

 2

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2024 01:52 AM

If you want Splunk to "guess", you might look at MLTK.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2024 05:13 PM

Have you tried the "Patterns" tab?  That can show patterns in your results if you have enough events for Splunk to analyze.

If you have a finite set of events then you may be able to group them using a case function and the stats command.

...
| eval warn = case(match(_raw, "ConfigurationLoader - Deprecated configuration detected in path .*?. Please update your settings to use the latest configuration options.", "ConfigurationLoader - Deprecated configuration detected in path. Please update your settings to use the latest configuration options",
    match(_raw, "QueryExecutor - Query execution time exceeded the threshold .*", "QueryExecutor - Query execution time exceeded the threshold.  Query:",
    match(_raw, "MemoryMonitor - High memory usage detected: .*? of allocated memory is in use. Consider increasing the available memory.", "MemoryMonitor - High memory usage detected: of allocated memory is in use. Consider increasing the available memory.",
    1==1, _raw)
| stats count by warn

Of course, this requires you to know which warnings are of interest and becomes impractical when there is a large number of them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...