I am trying this command but looks like its displaying all the exceptions. please let me know how to get the exceptions which are occurring only today but not earlier in splunk
(index=x AND (host=y) AND "java.exception" AND earliest=-1d@d latest=now NOT [ | search (index=x) AND (host=y) AND "java.exception" AND earliest=-15d@d latest=-2d@d | rex "(?java?.[.\w]+Exception)" | stats count by Exception | sort by count ] | rex "(?java?.[.\w]+Exception)" | stats count by Exception | sort by count
| set diff query is also not working.
I think maybe some of the code is getting chomped in your post. I'll assume you are able to successfully execute a straightforward search that extracts the field Exception
and conclude with | stats count by Exception | sort 0 - count
. If that's not true, then please try reposting your code by first clicking the 101010
code button and then entering the code in the modal window.
I'm going to re-state the goal, because I think there is a more straightforward approach to what you want to do. If I understand correctly, you want to list all Exception codes whose first appearance in the last 15 days was today. That can be done in a single search with no subsearches:
index=x host=y "java.exception" earliest=-15d@d latest=now
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| where first_time>=relative_time(now(), "@d")
| sort 0 - first_time
| convert ctime(first_time)
The last line just makes the timestamp in the first_time
field display in human readable format; you won't need it if you plan to use the value in further comparisons or calculations.
I think maybe some of the code is getting chomped in your post. I'll assume you are able to successfully execute a straightforward search that extracts the field Exception
and conclude with | stats count by Exception | sort 0 - count
. If that's not true, then please try reposting your code by first clicking the 101010
code button and then entering the code in the modal window.
I'm going to re-state the goal, because I think there is a more straightforward approach to what you want to do. If I understand correctly, you want to list all Exception codes whose first appearance in the last 15 days was today. That can be done in a single search with no subsearches:
index=x host=y "java.exception" earliest=-15d@d latest=now
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| where first_time>=relative_time(now(), "@d")
| sort 0 - first_time
| convert ctime(first_time)
The last line just makes the timestamp in the first_time
field display in human readable format; you won't need it if you plan to use the value in further comparisons or calculations.
@elliotproebstel Thank you. my end goal is to compare between 2 time durations.
Please let me know how to compare with 2 time durations
Sure, that's actually just a slight variation on the answer above. In the first answer, we gathered all events over 15 days and identified Exceptions that were first seen today. In this new challenge, we'll gather all events that occurred 1 Feb - 15 Feb and identify Exceptions that were first seen after 10 Feb. Exact same search structure, just different dates!
With your timepicker for the search, select 1 Feb as the start date and 15 Feb as the end date. We want Splunk to gather events from the overall time window, and then we'll analyze those.
index=x host=y "java.exception"
| rex statement that extracts the Exception field
| stats earliest(_time) AS first_time BY Exception
| eval window_start=strptime("2018-02-11", "%F")
| where first_time>=window_start
| stats count by Exception
@elliotproebstel Thank you very much. Now i can play with dates. Can you please explain me the rex "(?java?.[.\w]+Exception)"?
Its listing all the exceptions but when continues exceptions are present in the logs like below, looks like Its considering only first exception and ignoring other 2. So its listing the exceptions which are not unique also.
Example : its listing java.util.concurrent.ExecutionException: as unique even though it occured before like this log.
logs : (java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: org.xyz....)
try earliest=-0d@d
instead of earliest=-1d@d
yeah but that's not solution.