Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Handle different search results as one by analysing the percentage match

mmsbswe
Engager
‎08-13-2019 01:47 AM

Hi Community,

i have a search which shows me all PHP-Errors in the configured timespan. Now i want so sort this results by matching diffs other results in percent and show results over X% matching results as one.

For instance:

Search Query:

index=php source="/var/log/docker/php-fpm/error.log" "PHP Fatal error"

Example result 1:

[13-Aug-2019 03:01:29 Europe/Berlin] PHP Fatal error:  Uncaught Error: Call to a member function fetch_assoc() on boolean in 
/usr/share/nginx/current/typo3-web/web/typo3conf/AdditionalConfigurations/overrideSettings.php:22
Stack trace:
#0 /usr/share/nginx/current/typo3-web/web/typo3conf/AdditionalConfiguration.php(10): require_once()

Example result 2:

[12-Aug-2019 17:01:01 Europe/Berlin] PHP Fatal error:  Uncaught Error: Call to a member function fetch_assoc() on boolean in /usr/share/nginx/current/typo3-web/web/typo3conf/AdditionalConfigurations/overrideSettings.php:12
Stack trace:
#0 /usr/share/nginx/current/typo3-web/web/typo3conf/AdditionalConfigurations/EnvironmentPilot.php(41): include()

Field extractions are very useful but the most php-fpm-errors are very different in their appearance.

Now i want a output like this instead of two results :

PHP Fatal error:  Uncaught Error: Call to a member function fetch_assoc() on boolean in 
 /usr/share/nginx/current/typo3-web/web/typo3conf/AdditionalConfigurations/overrideSettings.php:22
....

Thanks in advance for checking my question!

0 Karma
Reply

Sukisen1981
Champion
‎08-13-2019 03:46 AM

so you extract using a rgeex from PHP Fatal error: Uncaught Error: to end of line or to just before Stack trace: is encountered in the log.
Then you look at how many distinct such extractions you get and calculate percentages based on the counts.
Is this what you are looking for?

Reply

mmsbswe
Engager
‎08-14-2019 01:37 AM

Hi, i will try it. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...