I have able to get unique result for each logs...now my issue is that i dont know how to combine the results
this works
index=index1 sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?[\S]+)"
| stats count by myException
index=index2 sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?[\S]+)"
| stats count by myException
how to join index1 and index2 and print the result?
Try this please:
(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException
Also if this answer helped you, please close it by accepting the answer. Thanks.
https://answers.splunk.com/answers/486114/how-to-generate-a-table-that-lists-all-java-except.html#an...
How do you want to combine, get a single total OR get separate total in single search result? @gokadroid answer is giving you former.
Output i am looking is :
SearchType . ExceptionName . Occurance
xyz. java.io.Exception 10
abc . java.lang.ClassException . 5
separate total in single search row
I think what I understood that requirement was:
index1 had exception1, exception2
index2 had exception 2, exception3
Required output
Type.............. count
exception1....... 1
exception2........ 2
exception3........ 1
That's why having an expected output in the question clears the requirement 100% of the time.
Just add the index field in the stats command in @gokadroid's answer, if you want to differential between exceptions from index1 and index2.
(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by index myException
How to get the SearchType? Its not a field in your original query.
Try this please:
(index=index1 OR index=index2) sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException
Also if this answer helped you, please close it by accepting the answer. Thanks.
https://answers.splunk.com/answers/486114/how-to-generate-a-table-that-lists-all-java-except.html#an...
Hi Gokadroid
How to extract field from below raw by using rex
We tried this
index="" source="E:\Splunk_logs\PH\Prod\MethodExecution\1088\VWNV02AX01571\MethodExecutionInfo20170215-09.txt" | rex field=_raw "(?P.[^@$@])" | rex field=_raw "(?P.[^vw]*)"
But able extract 1st Field date based on @$@ but 2nd field onwards we need to try based in 2nd occuranc of @$@ will be 2nd field server name and 3rd occurance of @$@ will be 3 field session ID like that all fields
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@
It would be great help for me!!!!!!!
Happy Splunking I love splunk