Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display the output for tomcat logs with starttime and endtime?

lim2
Communicator
‎03-23-2015 09:02 AM

Hi,
For query

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw  "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"|stats count(detail) as ct by detail

I get the following:

detail  ct
SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    11
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    6

Now I want to include the start mtime and end mtime in the output so that I can see something like following:

SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    11  starttime  endtime of the 11 events
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    6   starttime of the 6 events endtime of the 6 events
SEVERE [tomcat-http--20] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    1   starttime  endtime (where both starttime = endtime because only 1 event)

Tried with eventstats min(mtime) and max(mtime), but getting min of mtime of all the 18 events. Running out of ideas.
could someone advise me how to achieve this?

Thanks.

0 Karma
Reply

lim2
Communicator
‎03-28-2015 06:08 PM

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^dd-www-ddddsdd:dd:dd.ddd)s(?.*)"| transaction detail|eval startt=min(mtime)|eval endt=max(mtime)|table detail, source, host, startt, endt, eventcount

0 Karma
Reply

ppablo
Retired
‎03-30-2015 01:21 PM

Hi @lim2

You put this search in the Answer section, but didn't include any context what this was for. Did this search solve your question?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-23-2015 09:48 AM

What does your input look like?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

lim2
Communicator
‎03-28-2015 04:54 PM

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"| transaction detail|eval startt=min(mtime)|eval endt=max(mtime)|stats count(detail) by detail, source, host, startt, endt
The above query is giving me the right starttime and endtime
But count(detail) is always 1.
How to get ct of events in each transaction, 5 events ? like in http://docs.splunk.com/File:TransactionEx3_eventsList.png

23-Mar-2015 10:28:22.299 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 77 lines omitted ...
23-Mar-2015 10:28:37.566 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:28:50.962 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:30:31.844 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:31:04.643 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp]

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...