Solved: Grouping by a substring

R0ss · ‎06-19-2017

Hello,

I'm having trouble grouping errors in our Splunk logs. The date and time is appended to the error messages, meaning that every message is unique. For example:

Message=2017-06-19 09:15:23,825 ERROR - Here is the error message that we would like to group on...

I would like to ignore the date/time string and group on the text that appears after this. The best I have come up with is as follows:

Type=Error | eval ErrorString=substr(Message,30,len(Message)) | stats count by ErrorString

But this search still seems to evaluate as if the date is present in the new ErrorString string (the count is always 1 and ErrorString's are duplicated across rows)

Could you help me to write a query that would group the error messages and ignore the date/time.

Thanks,
Ross

dineshraj9 · ‎06-19-2017

You can extract the string at the end and use it in the grouping -

<your search> | rex field=Message "(?<ErrorString>ERROR.+)"  | stats count by ErrorString

View solution in original post

dineshraj9 · ‎06-19-2017

You can extract the string at the end and use it in the grouping -

<your search> | rex field=Message "(?<ErrorString>ERROR.+)"  | stats count by ErrorString

R0ss · ‎06-19-2017

Perfect, thank you!

Grouping by a substring

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?