Splunk Search

How to count and filter types of error data that are in the form of strings, not fields?

shingdayho
Explorer

Hi,

So I'm running a command which displays me errors (Aborted, Ping too slow etc, connection aborted), these are just strings of data, not fields.

I want to count how many of each error I get on a 7 day period. I am able to count how many in total there are, however as the data I need to filter is just a string of data, not a field I'm having some difficulties.

Thanks,

Tags (4)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=nagios AND "backuppc" AND "WARNING;HARD" AND "CURRENT SERVICE"  | rex "WARNING [^\(]*\([^\(]*\((?<ErrorMessage>[^=\:\),]*)" | stats count by ErrorMessage

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=nagios AND "backuppc" AND "WARNING;HARD" AND "CURRENT SERVICE"  | rex "WARNING [^\(]*\([^\(]*\((?<ErrorMessage>[^=\:\),]*)" | stats count by ErrorMessage

shingdayho
Explorer

That works! Thank you for your quick replies and for helping me fix it!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You would either need to define a field to differentiate the types. Or you can use the "Patterns" tab to have Splunk generate event types to help differentiate different patterns of event text.

0 Karma

shingdayho
Explorer

Could you please provide me to some examples which I could take a look at and I'll see if I can manipulate them for my needs, as well there is no "Patterns" tab in my Splunk, is there any other way to make Splunk generate these event types?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You would have to extract a field containing the error message and then you can count individual error message count. Please post some sample log entries, possibly covering all possible error messages and Splunkers here can help you find regex to extract the field.

0 Karma

shingdayho
Explorer

Search thus far which shows all errors:
index=nagios AND "backuppc" AND "WARNING;HARD" AND "CURRENT SERVICE"

Some example results:

03/11/2014 00:00:00.000 [1414972800] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (webserver.shingdayho (ping too slow: 182.5msec (threshold is 60msec)), teamspeak.shingdayho (ping too slow: 145.4msec (threshold is 60msec)), ) host = nagios.shingdayho.com index = nagios source = /var/log/nagios/nagios.log 
03/11/2014 00:00:00.000 [1414972800] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (mail2.shingdayho (aborted by signal=PIPE), ) host = nagios.shingdayho.com index = nagios source = /var/log/nagios/nagios.log 
02/11/2014 00:00:00.000 [1414886400] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (webserver.shingdayho (lost network connection during backup), ) host = nagios.shingdayho.com index = nagios source = /var/log/nagios/nagios.log 
01/11/2014 00:00:00.000 [1414800000] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (mail1.shingdayho (aborted by signal=PIPE), )
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...