Splunk Search

How to combine searches in order to output the total result of each exception?

New Member

I have able to get unique result for each logs...now my issue is that i dont know how to combine the results
this works

index=index1 sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?[\S]+)"
 | stats count by myException

index=index2 sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?[\S]+)"
 | stats count by myException

how to join index1 and index2 and print the result?

0 Karma
1 Solution

Motivator

Try this please:

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
|  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

Also if this answer helped you, please close it by accepting the answer. Thanks.
https://answers.splunk.com/answers/486114/how-to-generate-a-table-that-lists-all-java-except.html#an...

View solution in original post

0 Karma

Revered Legend

How do you want to combine, get a single total OR get separate total in single search result? @gokadroid answer is giving you former.

0 Karma

New Member

Output i am looking is :

SearchType . ExceptionName . Occurance
xyz. java.io.Exception 10
abc . java.lang.ClassException . 5

0 Karma

New Member

separate total in single search row

0 Karma

Motivator

I think what I understood that requirement was:

index1 had exception1, exception2
index2 had exception 2, exception3

Required output

   Type.............. count
    exception1....... 1
    exception2........ 2
    exception3........ 1
0 Karma

Revered Legend

That's why having an expected output in the question clears the requirement 100% of the time.

0 Karma

Revered Legend

Just add the index field in the stats command in @gokadroid's answer, if you want to differential between exceptions from index1 and index2.

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
 |  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
 | stats count by index myException
0 Karma

Revered Legend

How to get the SearchType? Its not a field in your original query.

0 Karma

Motivator

Try this please:

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
|  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

Also if this answer helped you, please close it by accepting the answer. Thanks.
https://answers.splunk.com/answers/486114/how-to-generate-a-table-that-lists-all-java-except.html#an...

View solution in original post

0 Karma

Communicator

Hi Gokadroid
How to extract field from below raw by using rex
We tried this

index=""  source="E:\Splunk_logs\PH\Prod\MethodExecution\1088\VWNV02AX01571\MethodExecutionInfo20170215-09.txt"   | rex field=_raw "(?P.[^@$@])" | rex field=_raw "(?P.[^vw]*)"

But able extract 1st Field date based on @$@ but 2nd field onwards we need to try based in 2nd occuranc of @$@ will be 2nd field server name and 3rd occurance of @$@ will be 3 field session ID like that all fields
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

It would be great help for me!!!!!!!

Happy Splunking I love splunk

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!