Splunk Search

How to display the output for tomcat logs with starttime and endtime?

Path Finder

Hi,
For query

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw  "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"|stats count(detail) as ct by detail

I get the following:

detail  ct
SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    11
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    6

Now I want to include the start mtime and end mtime in the output so that I can see something like following:

SEVERE [tomcat-http--38] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    11  starttime  endtime of the 11 events
SEVERE [tomcat-http--47] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    6   starttime of the 6 events endtime of the 6 events
SEVERE [tomcat-http--20] org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for servlet jsp threw exception    1   starttime  endtime (where both starttime = endtime because only 1 event) 

Tried with eventstats min(mtime) and max(mtime), but getting min of mtime of all the 18 events. Running out of ideas.
could someone advise me how to achieve this?

Thanks.

0 Karma

Path Finder

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^dd-www-ddddsdd:dd:dd.ddd)s(?.*)"| transaction detail|eval startt=min(mtime)|eval endt=max(mtime)|table detail, source, host, startt, endt, eventcount

0 Karma

Community Manager
Community Manager

Hi @lim2

You put this search in the Answer section, but didn't include any context what this was for. Did this search solve your question?

0 Karma

SplunkTrust
SplunkTrust

What does your input look like?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

(SEVERE OR exception OR CRITICAL OR "[error]")|rex field=_raw "(?^\d\d-\w\w\w-\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d)\s(?.*)"| transaction detail|eval startt=min(mtime)|eval endt=max(mtime)|stats count(detail) by detail, source, host, startt, endt
The above query is giving me the right starttime and endtime
But count(detail) is always 1.
How to get ct of events in each transaction, 5 events ? like in http://docs.splunk.com/File:TransactionEx3_eventsList.png

23-Mar-2015 10:28:22.299 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 77 lines omitted ...
23-Mar-2015 10:28:37.566 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:28:50.962 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:30:31.844 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp] ... 38 lines omitted ...
23-Mar-2015 10:31:04.643 SEVERE [tomcat-http--38] org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPage[exceptionType=java.lang.Throwable, location=/error.jsp]

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!