Splunk Search

How to calculate what percentage of bytes are Java stacktraces of indexed Java application logs?

Bohrnag
New Member

We are currently indexing logs from various Java applications. Does anyone know of some way we can calculate how much of those logs in one index are Java stacktraces, ideally as a percentage of bytes?

0 Karma

Damien_Dallimor
Ultra Champion

Something like this might work for you , it's a bit fuzzy , not based on actual bytes on disk , but gives an approximation of the percentage of the raw event data that is from exceptions.

Replace YOURINDEX and YOUREXCEPTIONPATTERN with relevant values for your environment.

index=YOURINDEX | eval event_length_all = len(_raw) |eventstats sum(event_length_all) as all_event_length | regex _raw="YOUREXCEPTIONPATTERN" | eval event_length = len(_raw) | eventstats sum(event_length) as exceptions_length | eval percentage_of_events_that_are_exceptions=exceptions_length/all_event_length*100 | table percentage_of_events_that_are_exceptions
0 Karma

Bohrnag
New Member

Thanks! I guess I'll need to look into exactly how to define what a Java stacktrace looks like 🙂

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Introducing .conf Stories Series!

“.conf Stories” Series – First Feature: Rich Mahlerwein   Every year .conf brings together some of the most ...