We are currently indexing logs from various Java applications. Does anyone know of some way we can calculate how much of those logs in one index are Java stacktraces, ideally as a percentage of bytes?
Something like this might work for you , it's a bit fuzzy , not based on actual bytes on disk , but gives an approximation of the percentage of the raw event data that is from exceptions.
Replace YOURINDEX and YOUREXCEPTIONPATTERN with relevant values for your environment.
index=YOURINDEX | eval event_length_all = len(_raw) |eventstats sum(event_length_all) as all_event_length | regex _raw="YOUREXCEPTIONPATTERN" | eval event_length = len(_raw) | eventstats sum(event_length) as exceptions_length | eval percentage_of_events_that_are_exceptions=exceptions_length/all_event_length*100 | table percentage_of_events_that_are_exceptions
Thanks! I guess I'll need to look into exactly how to define what a Java stacktrace looks like 🙂