How to extract error codes coming within single ev...

pradeepkm · ‎04-03-2022

I have an event which contains error reason codes of failed records . I have to extract these reason codes and get a count of each of these reason codes.

venky1544 · ‎04-04-2022

Hi @pradeepkm

is this a multline event ???

your search | rex field=_raw "Reason code::(?<Reason_code>[\w+ ]+)" |stats count by Reason_code

pradeepkm · ‎04-04-2022

No all reason codes coming in single event .That’s where I have difficulty in gathering stats.

venky1544 · ‎04-05-2022

Hi @pradeepkm

just try the below search

index="response" sourcetype="new" | rex field=_raw "Reason code::(?<Reason_code>[\w+ ]+)" max_match=0 |stats count by Reason_code

i just ingested your data and ran the above search query jusr replace your search before the rex command

if this helps karma points are appreciated

gcusello · ‎04-03-2022

Hi @pradeepkm,

to extract these error codes you have to create a field using a regex and than use a stats command to aggregate them.

Only as an example, if you want to take the oracle errors that are always "ORAXXXX" where XXXX is a four digit number, you should use a search like this:

index=your_index
| rex "?(<ora_error>ORA\d+)"
| stats count BY ora_error

To better help you I'd need a sample of your logs.

Ciao.

Giuseppe

pradeepkm · ‎04-04-2022

This is how my event looks like

Processing started….

Record No 1
Reason code : :Component code not found

Record No.3

Reason code: :Address not found

Record No.7

Reason code::Address not found

processing ended at…

How to extract error codes coming within single event?

eval

field extraction

rex

stats

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...