Splunk Search

How to generate a table that lists all Java exceptions?

jw44250
New Member

I want to List all exceptions (java, spring, hibernate, etc) such as sql, unchecked, checkException plus any framework exception from a log in nice table format.

Tags (4)
0 Karma
1 Solution

gokadroid
Motivator

Answer to this question depends on how well you know the strings which come in log when the exception occur. For the lines of your log posted above we can do something like:

your query to return events
| rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
| stats count by myException

A similar scenario we handled in our projects was to target only the Caused by: line from the entire stack trace. Error logs we had were:

Caused by: org.apache.xerces.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
        at com.citigroup.ebusiness.jfp.messaging.tibco.common.util.DOMUtils.parseXmlString(DOMUtils.java:166)
        ... 8 more

Query to fetch these were written as:

index=myIndex sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

You can build upon it similarly.

View solution in original post

0 Karma

gokadroid
Motivator

Answer to this question depends on how well you know the strings which come in log when the exception occur. For the lines of your log posted above we can do something like:

your query to return events
| rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
| stats count by myException

A similar scenario we handled in our projects was to target only the Caused by: line from the entire stack trace. Error logs we had were:

Caused by: org.apache.xerces.impl.io.MalformedByteSequenceException: Invalid byte 2 of 2-byte UTF-8 sequence.
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:124)
        at com.citigroup.ebusiness.jfp.messaging.tibco.common.util.DOMUtils.parseXmlString(DOMUtils.java:166)
        ... 8 more

Query to fetch these were written as:

index=myIndex sourcetype=mySourcetype "Caused by:"
| rex field=_raw "Caused by:\s(?<myException>[\S]+)"
| stats count by myException

You can build upon it similarly.

0 Karma

jw44250
New Member

how to combine and arrang two different fields

input is like this :

field1 . field2
10 . 20

output
Final Field
10
20

0 Karma

jw44250
New Member

my result still not prefect ...i end up doing this :

index=index1 sourcetype=index1_log1 "Caused by:"
| rex field=_raw "Caused by:\s(?[\S]+)"
| stats count by myException |appendcols[search=ndex1 sourcetype=index2_log2 "Caused by:"
| rex field=_raw "Caused by:\s(?[\S]+)"
| stats count by myException]

My output is all over the places....currently try to figure the expected output since rows and columns is merges.

the above query cause me issue regarding exceptions becuase the same exception (NPE) can appear in index 1 /2 or both -- getting different wrong result -- i needed to range colns order (A, B ) . (B, A)

0 Karma

gokadroid
Motivator

Try

(index=index1 OR index=index2) (sourcetype=sourcetype1 OR sourcetype=sourcetype2)
| complete the query
0 Karma

jw44250
New Member

suppose having 10 of logs files coming from 10 different applications. find total exceptions for each logs and output should look:

AppList . IndexList ExceptionName Occurance . Time
App1 index 1 java....NullPointerException . 10 7:00am
App2 index 2 java....SQLException . . 10 9:00pm

comments: (index=index1 OR index=index2) . need to use AND --- (matching is needed)

0 Karma

jw44250
New Member

thanks -- why selection "Caused by: " --

im totally new to splunk

0 Karma

gokadroid
Motivator

That's because in our use case we were only interested in the lines having "Caused by:" from the entire stack trace; which is the actual cause of error and there might be a lot of errors/subExceptions in the stack trace:

 index=myIndex sourcetype=mySourcetype "Caused by:"
 | rex field=_raw "Caused by:\s(?<myException>[\S]+)"
 | stats count by myException

Your log lines which you posted should work out with this query I posted initially if that's how the errors occur in your logs:

 your query to return events
 | rex field=_raw "\[SEVERE\](\s|\sat\s)(?<myException>[^\s\(]+)"
 | stats count by myException
0 Karma

jw44250
New Member

thnks a lot for your help

0 Karma

jw44250
New Member

i have account all the exceptions from 5apps and their logs

Field 1 . field . total Occurenance
Error . xyz . 3
Exception . NPE . 2

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi jw44250, could you please share a bit more info about your log, some sample data maybe? Thanks!

jw44250
New Member

This is my logs
2012-08-10 08:19:17 [SEVERE] java.lang.NullPointerException
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.World.tickEntities(World.java:1146)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.q(MinecraftServer.java:567)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.DedicatedServer.q(DedicatedServer.java:212)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.p(MinecraftServer.java:476)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:408)
2012-08-10 08:19:17 [SEVERE] at net.minecraft.server.ThreadServerApplication.run(SourceFile:539)
java.lang.NullPointerException

0 Karma

jw44250
New Member

Output
ExceptionName Total Occureence of Exception
AllTotalException . 60

Another Output
ExceptionName Total Occureence of Exception
.....SQLException . 10
.....NullPointerException . 5
..........................XException . 1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...