Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Group Events with pattern

Thulasinathan_M
Contributor
‎08-31-2024 10:05 AM

Hi Splunk Experts,
I've been trying to group "WARN" logs, but they have a pattern (Dynamic/ Argument values) in them. I'm aware of rex, but I don't want to manually rex for 1000s of such different events. I've even tried cluster, but that doesn't suits well my usecase. Any assistance would be much appreciated.!! Thanks in advance.

2024-08-31 12:34:56 WARN  ConfigurationLoader - Deprecated configuration detected in path /xx/yy/zz. Please update your settings to use the latest configuration options.
2024-08-31 12:34:56 WARN  ConfigurationLoader - Deprecated configuration detected in path /aa/dd/jkl. Please update your settings to use the latest configuration options.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 12.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 21.9 seconds. Query: SELECT * FROM contacts WHERE contact_id > '252’.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 9.5 seconds. Query: SELECT * FROM users WHERE user_id = '123024001'.
2024-08-31 13:45:10 WARN  MemoryMonitor - High memory usage detected: 85% of allocated memory is in use. Consider increasing the available memory.
2024-08-31 13:45:10 WARN  MemoryMonitor - High memory usage detected: 58% of allocated memory is in use. Consider increasing the available memory.
2024-08-31 14:52:34 WARN  QueryExecutor - Query execution time exceeded the threshold: 32.3 seconds. Query: SELECT * FROM users WHERE last_login > '2024-01-01'.

 
I wish to group them something like below to group similar events!!

WARN  ConfigurationLoader Deprecated configuration detected in path. Please update your settings to use the latest configuration options

 2

WARN  QueryExecutor Query execution time exceeded the threshold: . Query:

 4

WARN  MemoryMonitor High memory usage detected: of allocated memory is in use. Consider increasing the available memory.

 2

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-01-2024 01:52 AM

If you want Splunk to "guess", you might look at MLTK.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2024 05:13 PM

Have you tried the "Patterns" tab?  That can show patterns in your results if you have enough events for Splunk to analyze.

If you have a finite set of events then you may be able to group them using a case function and the stats command.

...
| eval warn = case(match(_raw, "ConfigurationLoader - Deprecated configuration detected in path .*?. Please update your settings to use the latest configuration options.", "ConfigurationLoader - Deprecated configuration detected in path. Please update your settings to use the latest configuration options",
    match(_raw, "QueryExecutor - Query execution time exceeded the threshold .*", "QueryExecutor - Query execution time exceeded the threshold.  Query:",
    match(_raw, "MemoryMonitor - High memory usage detected: .*? of allocated memory is in use. Consider increasing the available memory.", "MemoryMonitor - High memory usage detected: of allocated memory is in use. Consider increasing the available memory.",
    1==1, _raw)
| stats count by warn

Of course, this requires you to know which warnings are of interest and becomes impractical when there is a large number of them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...