Solved: Re: How do you use the rex command to extract a ce... - Splunk Community

Splunk Search

I am trying to extract a certain error and then plot in on an are chart using rex. Below is the error I am looking for in logs :

Error : Request processing failed; nested exception is com.unionbank.banking.exception.BankingRuntimeException: HRTMap : HRTMap

The query I am using is :

index=xxx host=*prd* source= *yyy* "HRTMap"  | eval Date=strftime(_time, "%m-%d-%Y") | eval Time=strftime(_time, "%H:%M:%S") |rex "HRTMap: (?\w+)" | timechart count(HRTMapError) as HRT

but I am not getting a result for that.

1 Solution

Solution

Try this:

index=xxx host=prd source= yyy "HRTMap" | eval Date=strftime(_time, "%m-%d-%Y") | eval Time=strftime(_time, "%H:%M:%S") |rex "HRTMap\s*:\s*(?<HRTMapError>\w+)" | timechart count(HRTMapError) as HRT

You can also use |timechart dc(HRTMapError) as HRT to get the distinct count of error messages.

Hope it helps

View solution in original post

Solution

Try this:

index=xxx host=prd source= yyy "HRTMap" | eval Date=strftime(_time, "%m-%d-%Y") | eval Time=strftime(_time, "%H:%M:%S") |rex "HRTMap\s*:\s*(?<HRTMapError>\w+)" | timechart count(HRTMapError) as HRT

You can also use |timechart dc(HRTMapError) as HRT to get the distinct count of error messages.

Hope it helps

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...