Splunk Search

How to count and filter types of error data that are in the form of strings, not fields?

shingdayho
Explorer

Hi,

So I'm running a command which displays me errors (Aborted, Ping too slow etc, connection aborted), these are just strings of data, not fields.

I want to count how many of each error I get on a 7 day period. I am able to count how many in total there are, however as the data I need to filter is just a string of data, not a field I'm having some difficulties.

Thanks,

Tags (4)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=nagios AND "backuppc" AND "WARNING;HARD" AND "CURRENT SERVICE"  | rex "WARNING [^\(]*\([^\(]*\((?<ErrorMessage>[^=\:\),]*)" | stats count by ErrorMessage

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index=nagios AND "backuppc" AND "WARNING;HARD" AND "CURRENT SERVICE"  | rex "WARNING [^\(]*\([^\(]*\((?<ErrorMessage>[^=\:\),]*)" | stats count by ErrorMessage

shingdayho
Explorer

That works! Thank you for your quick replies and for helping me fix it!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You would either need to define a field to differentiate the types. Or you can use the "Patterns" tab to have Splunk generate event types to help differentiate different patterns of event text.

0 Karma

shingdayho
Explorer

Could you please provide me to some examples which I could take a look at and I'll see if I can manipulate them for my needs, as well there is no "Patterns" tab in my Splunk, is there any other way to make Splunk generate these event types?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You would have to extract a field containing the error message and then you can count individual error message count. Please post some sample log entries, possibly covering all possible error messages and Splunkers here can help you find regex to extract the field.

0 Karma

shingdayho
Explorer

Search thus far which shows all errors:
index=nagios AND "backuppc" AND "WARNING;HARD" AND "CURRENT SERVICE"

Some example results:

03/11/2014 00:00:00.000 [1414972800] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (webserver.shingdayho (ping too slow: 182.5msec (threshold is 60msec)), teamspeak.shingdayho (ping too slow: 145.4msec (threshold is 60msec)), ) host = nagios.shingdayho.com index = nagios source = /var/log/nagios/nagios.log 
03/11/2014 00:00:00.000 [1414972800] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (mail2.shingdayho (aborted by signal=PIPE), ) host = nagios.shingdayho.com index = nagios source = /var/log/nagios/nagios.log 
02/11/2014 00:00:00.000 [1414886400] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (webserver.shingdayho (lost network connection during backup), ) host = nagios.shingdayho.com index = nagios source = /var/log/nagios/nagios.log 
01/11/2014 00:00:00.000 [1414800000] CURRENT SERVICE STATE: backuppc.shingdayho;BACKUPPC;WARNING;HARD;3;BACKUPPC WARNING - (mail1.shingdayho (aborted by signal=PIPE), )
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...