Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a table that lists all Java exceptions?

jw44250
New Member
‎01-05-2017 08:44 AM

I want to List all exceptions (java, spring, hibernate, etc) such as sql, unchecked, checkException plus any framework exception from a log in nice table format.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-05-2017 11:06 AM

Answer to this question depends on how well you know the strings which come in log when the exception occur. For the lines of your log posted above we can do something like:

your query to return events
| rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
| stats count by myException

A similar scenario we handled in our projects was to target only the Caused by: line from the entire stack trace. Error logs we had were:

Caused by: org.apache.xerces.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
        at com.citigroup.ebusiness.jfp.messaging.tibco.common.util.DOMUtils.parseXmlString(DOMUtils.java:166)
        ... 8 more

Query to fetch these were written as:

index=myIndex sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

You can build upon it similarly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-05-2017 11:06 AM

Answer to this question depends on how well you know the strings which come in log when the exception occur. For the lines of your log posted above we can do something like:

your query to return events
| rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
| stats count by myException

A similar scenario we handled in our projects was to target only the Caused by: line from the entire stack trace. Error logs we had were:

Caused by: org.apache.xerces.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
        at com.citigroup.ebusiness.jfp.messaging.tibco.common.util.DOMUtils.parseXmlString(DOMUtils.java:166)
        ... 8 more

Query to fetch these were written as:

index=myIndex sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

You can build upon it similarly.

0 Karma
Reply
Solved! Jump to solution

jw44250
New Member
‎01-09-2017 08:45 AM

how to combine and arrang two different fields

input is like this :

field1 . field2
10 . 20

output
Final Field
10
20

0 Karma
Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 05:56 PM

my result still not prefect ...i end up doing this :

index=index1 sourcetype=index1_log1 "Caused by:"
| rex field=_raw "Caused by:\s(?[\S]+)"
| stats count by myException |appendcols[search=ndex1 sourcetype=index2_log2 "Caused by:"
| rex field=_raw "Caused by:\s(?[\S]+)"
| stats count by myException]

My output is all over the places....currently try to figure the expected output since rows and columns is merges.

the above query cause me issue regarding exceptions becuase the same exception (NPE) can appear in index 1 /2 or both -- getting different wrong result -- i needed to range colns order (A, B ) . (B, A)

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-05-2017 08:44 PM

Try 

(index=index1 OR index=index2) (sourcetype=sourcetype1 OR sourcetype=sourcetype2)
| complete the query
0 Karma
Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 09:00 PM

suppose having 10 of logs files coming from 10 different applications. find total exceptions for each logs and output should look:

AppList . IndexList ExceptionName Occurance . Time
App1 index 1 java....NullPointerException . 10 7:00am
App2 index 2 java....SQLException . . 10 9:00pm

comments: (index=index1 OR index=index2) . need to use AND --- (matching is needed)

0 Karma
Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 12:19 PM

thanks -- why selection "Caused by: " --

im totally new to splunk

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-05-2017 04:11 PM

That's because in our use case we were only interested in the lines having "Caused by:" from the entire stack trace; which is the actual cause of error and there might be a lot of errors/subExceptions in the stack trace:

 index=myIndex sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?<myException>[\S]+)"
 | stats count by myException

Your log lines which you posted should work out with this query I posted initially if that's how the errors occur in your logs:

 your query to return events
 | rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
 | stats count by myException
0 Karma
Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 05:50 PM

thnks a lot for your help

0 Karma
Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 12:17 PM

i have account all the exceptions from 5apps and their logs

Field 1 . field . total Occurenance
Error . xyz . 3
Exception . NPE . 2

0 Karma
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎01-05-2017 09:43 AM

Hi jw44250, could you please share a bit more info about your log, some sample data maybe? Thanks!

Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 10:26 AM

This is my logs
2012-08-10 08:19:17 [SEVERE] java.lang.NullPointerException
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.World.tickEntities(World.java:1146)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.q(MinecraftServer.java:567)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.DedicatedServer.q(DedicatedServer.java:212)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.p(MinecraftServer.java:476)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:408)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.ThreadServerApplication.run(SourceFile:539)
java.lang.NullPointerException

0 Karma
Reply
Solved! Jump to solution

jw44250
New Member
‎01-05-2017 10:28 AM

Output
ExceptionName Total Occureence of Exception
AllTotalException . 60

Another Output
ExceptionName Total Occureence of Exception
.....SQLException . 10
.....NullPointerException . 5
..........................XException . 1

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...