Solved: How to generate a table that lists all Java except...

jw44250 · ‎01-05-2017

I want to List all exceptions (java, spring, hibernate, etc) such as sql, unchecked, checkException plus any framework exception from a log in nice table format.

gokadroid · ‎01-05-2017

Answer to this question depends on how well you know the strings which come in log when the exception occur. For the lines of your log posted above we can do something like:

your query to return events
| rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
| stats count by myException

A similar scenario we handled in our projects was to target only the Caused by: line from the entire stack trace. Error logs we had were:

Caused by: org.apache.xerces.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
        at com.citigroup.ebusiness.jfp.messaging.tibco.common.util.DOMUtils.parseXmlString(DOMUtils.java:166)
        ... 8 more

Query to fetch these were written as:

index=myIndex sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

You can build upon it similarly.

View solution in original post

gokadroid · ‎01-05-2017

Answer to this question depends on how well you know the strings which come in log when the exception occur. For the lines of your log posted above we can do something like:

your query to return events
| rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
| stats count by myException

A similar scenario we handled in our projects was to target only the Caused by: line from the entire stack trace. Error logs we had were:

Caused by: org.apache.xerces.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
        at com.citigroup.ebusiness.jfp.messaging.tibco.common.util.DOMUtils.parseXmlString(DOMUtils.java:166)
        ... 8 more

Query to fetch these were written as:

index=myIndex sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

You can build upon it similarly.

jw44250 · ‎01-09-2017

how to combine and arrang two different fields

input is like this :

field1 . field2
10 . 20

output
Final Field
10
20

jw44250 · ‎01-05-2017

my result still not prefect ...i end up doing this :

My output is all over the places....currently try to figure the expected output since rows and columns is merges.

the above query cause me issue regarding exceptions becuase the same exception (NPE) can appear in index 1 /2 or both -- getting different wrong result -- i needed to range colns order (A, B ) . (B, A)

gokadroid · ‎01-05-2017

Try

(index=index1 OR index=index2) (sourcetype=sourcetype1 OR sourcetype=sourcetype2)
| complete the query

jw44250 · ‎01-05-2017

suppose having 10 of logs files coming from 10 different applications. find total exceptions for each logs and output should look:

AppList . IndexList ExceptionName Occurance . Time
App1 index 1 java....NullPointerException . 10 7:00am
App2 index 2 java....SQLException . . 10 9:00pm

comments: (index=index1 OR index=index2) . need to use AND --- (matching is needed)

jw44250 · ‎01-05-2017

thanks -- why selection "Caused by: " --

im totally new to splunk

gokadroid · ‎01-05-2017

That's because in our use case we were only interested in the lines having "Caused by:" from the entire stack trace; which is the actual cause of error and there might be a lot of errors/subExceptions in the stack trace:

 index=myIndex sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?<myException>[\S]+)"
 | stats count by myException

Your log lines which you posted should work out with this query I posted initially if that's how the errors occur in your logs:

 your query to return events
 | rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
 | stats count by myException

jw44250 · ‎01-05-2017

thnks a lot for your help

jw44250 · ‎01-05-2017

i have account all the exceptions from 5apps and their logs

Field 1 . field . total Occurenance
Error . xyz . 3
Exception . NPE . 2

hunters_splunk · ‎01-05-2017

Hi jw44250, could you please share a bit more info about your log, some sample data maybe? Thanks!

jw44250 · ‎01-05-2017

This is my logs
2012-08-10 08:19:17 [SEVERE] java.lang.NullPointerException
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.World.tickEntities(World.java:1146)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.q(MinecraftServer.java:567)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.DedicatedServer.q(DedicatedServer.java:212)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.p(MinecraftServer.java:476)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:408)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.ThreadServerApplication.run(SourceFile:539)
java.lang.NullPointerException

jw44250 · ‎01-05-2017

Output
ExceptionName Total Occureence of Exception
AllTotalException . 60

Another Output
ExceptionName Total Occureence of Exception
.....SQLException . 10
.....NullPointerException . 5
..........................XException . 1

How to generate a table that lists all Java exceptions?

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024