Splunk Search

How to group type of exceptions in the log ?

Bero
New Member

Hi!
I am a relative new user of Splunk so I have only used basic search that works fine.

Background:
I'm a member of a team that maintenance a big Delphi application. That is deployed on 4 servers. If there is an exception in the application that is logged in a textfile.
This is an example how it could look like in the log:

20110429 14:39:07 (16616) [EXCEPTION] Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Inner Exception Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Call Stack:
    [00] BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
    [01] BoldSystem.TBoldSystem.UpdateDatabaseWithList (BoldSystem.pas:1868)
    [02] BoldSystem.TBoldSystem.UpdateDatabase (BoldSystem.pas:1860)
    [03] AttracsDBSync.TATSyncPersistenceHandle.DBSync (..\server\units\AttracsDBSync.pas:1071)
    [04] AttracsDBSync.TATSyncPersistenceHandle.SyncSystemWithDatabase (..\server\units\AttracsDBSync.pas:1131)
    [05] DMAttracs.TServerData.SyncSystemWithDatabase (..\server\code\DMAttracs.pas:467)
    [06] DMAttracs.TServerData.ApplicationEventsIdle (..\server\code\DMAttracs.pas:494)
    [07] AppEvnts.TCustomApplicationEvents.DoIdle (AppEvnts.pas:216)
    [08] Forms.TApplication.Idle (Forms.pas:8533)
    [09] Forms.TApplication.HandleMessage (Forms.pas:8124)    

Question:
If I for example search for "[EXCEPTION]" I got a lot of hits like the one above. This is of type EBoldOperationFailedForObjectList but there are also many others.

Is there a way to count each typ of exception ?
For example if I have 15 exceptions today maybe 5 of those are EBoldOperationFailedForObjectList, 3 are EAccessViolation, 7 are EInvalidCast then I got this list:

  1. EBoldOperationFailedForObjectList 5
  2. EAccessViolation 3
  3. EInvalidCast 7

Is it possible to get such list from Splunk or maybe a graph ?

Regards

Roland
Team Attracs

Tags (1)
0 Karma
1 Solution

howyagoin
Contributor

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]" 

But I'm horrible with RegEx.

View solution in original post

0 Karma

howyagoin
Contributor

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]" 

But I'm horrible with RegEx.

0 Karma

Bero
New Member

Im really impressed of what Splunk can do with some knowledge :slightly_smiling_face: Anyway this is want I want. Thanks!!!

0 Karma

JSapienza
Contributor

Sounds like you need to do a field extraction for the Exceptions :

http://www.splunk.com/base/Documentation/4.2.1/Knowledge/Addfieldsatsearchtime

Then you can drill down and perform counts based on field with the stats command:

http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Stats

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...