Splunk Search

How to combine searches in order to output the total result of each exception?

New Member

I have able to get unique result for each logs...now my issue is that i dont know how to combine the results
this works

index=index1 sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?[\S]+)"
 | stats count by myException

index=index2 sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?[\S]+)"
 | stats count by myException

how to join index1 and index2 and print the result?

0 Karma
1 Solution

Motivator

Try this please:

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
|  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

Also if this answer helped you, please close it by accepting the answer. Thanks.
https://answers.splunk.com/answers/486114/how-to-generate-a-table-that-lists-all-java-except.html#an...

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

How do you want to combine, get a single total OR get separate total in single search result? @gokadroid answer is giving you former.

0 Karma

New Member

Output i am looking is :

SearchType . ExceptionName . Occurance
xyz. java.io.Exception 10
abc . java.lang.ClassException . 5

0 Karma

New Member

separate total in single search row

0 Karma

Motivator

I think what I understood that requirement was:

index1 had exception1, exception2
index2 had exception 2, exception3

Required output

   Type.............. count
    exception1....... 1
    exception2........ 2
    exception3........ 1
0 Karma

SplunkTrust
SplunkTrust

That's why having an expected output in the question clears the requirement 100% of the time.

0 Karma

SplunkTrust
SplunkTrust

Just add the index field in the stats command in @gokadroid's answer, if you want to differential between exceptions from index1 and index2.

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
 |  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
 | stats count by index myException
0 Karma

SplunkTrust
SplunkTrust

How to get the SearchType? Its not a field in your original query.

0 Karma

Motivator

Try this please:

(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
|  rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

Also if this answer helped you, please close it by accepting the answer. Thanks.
https://answers.splunk.com/answers/486114/how-to-generate-a-table-that-lists-all-java-except.html#an...

View solution in original post

0 Karma

Communicator

Hi Gokadroid
How to extract field from below raw by using rex
We tried this

index=""  source="E:\Splunklogs\PH\Prod\MethodExecution\1088\VWNV02AX01571\MethodExecutionInfo20170215-09.txt"   | rex field=raw "(?P.[^@$@])" | rex field=_raw "(?P.[^vw]*)"

But able extract 1st Field date based on @$@ but 2nd field onwards we need to try based in 2nd occuranc of @$@ will be 2nd field server name and 3rd occurance of @$@ will be 3 field session ID like that all fields
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

It would be great help for me!!!!!!!

Happy Splunking I love splunk

0 Karma