Solved: How Can I get a table of distinct errors?

aohls · ‎12-12-2017

I am looking to create a table for distinct errors we have. Unfortunately I had this working at one point and am unable to recreate it and didn't save it. I have the following string, "Error - (Some text explaining the error)". I was doing the following to pull the variable for the error string: rex field=_raw "Error - \|(?<ErrorString>\d+)"

I am looking to create a table with the server, distinct error string, count of total occurrences of the error on the specified server. Currently when I try to add my ErrorString field, I get the number of events from my search but each field is blank.

rphillips_splk · ‎12-12-2017

From your description it sounds like you might be after a search like:

...|rex field=_raw "Error - \|(?<ErrorString>\d+)" | stats count by host ErrorString

View solution in original post

rphillips_splk · ‎12-12-2017

From your description it sounds like you might be after a search like:

...|rex field=_raw "Error - \|(?<ErrorString>\d+)" | stats count by host ErrorString

aohls · ‎12-12-2017

My error string is multiple words, is there a way to specify the rex to go a certain length and not stop at the first word?

DalJeanis · ‎12-12-2017

If you wanted up to 30 characters, you could go

|rex field=_raw "Error - \|(?<ErrorString>.{1,30})"

DalJeanis · ‎12-12-2017

Given the data, I don't see the reason for the escaped pipe \| in your rex. try deleting that and seeing if the rex works again.

adonio · ‎12-12-2017

maybe this:

your search | rex field=_raw "Error - |(?\d+)"
| stats count as error_count dc(ErrorString) as ErrString by server

How Can I get a table of distinct errors?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...