Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group type of exceptions in the log ?

Bero
New Member
‎04-29-2011 05:55 AM

Hi!
I am a relative new user of Splunk so I have only used basic search that works fine.

Background:
I'm a member of a team that maintenance a big Delphi application. That is deployed on 4 servers. If there is an exception in the application that is logged in a textfile.
This is an example how it could look like in the log:

20110429 14:39:07 (16616) [EXCEPTION] Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Inner Exception Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Call Stack:
    [00] BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
    [01] BoldSystem.TBoldSystem.UpdateDatabaseWithList (BoldSystem.pas:1868)
    [02] BoldSystem.TBoldSystem.UpdateDatabase (BoldSystem.pas:1860)
    [03] AttracsDBSync.TATSyncPersistenceHandle.DBSync (..\server\units\AttracsDBSync.pas:1071)
    [04] AttracsDBSync.TATSyncPersistenceHandle.SyncSystemWithDatabase (..\server\units\AttracsDBSync.pas:1131)
    [05] DMAttracs.TServerData.SyncSystemWithDatabase (..\server\code\DMAttracs.pas:467)
    [06] DMAttracs.TServerData.ApplicationEventsIdle (..\server\code\DMAttracs.pas:494)
    [07] AppEvnts.TCustomApplicationEvents.DoIdle (AppEvnts.pas:216)
    [08] Forms.TApplication.Idle (Forms.pas:8533)
    [09] Forms.TApplication.HandleMessage (Forms.pas:8124)

Question:
If I for example search for "[EXCEPTION]" I got a lot of hits like the one above. This is of type EBoldOperationFailedForObjectList but there are also many others.

Is there a way to count each typ of exception ?
For example if I have 15 exceptions today maybe 5 of those are EBoldOperationFailedForObjectList, 3 are EAccessViolation, 7 are EInvalidCast then I got this list:

  1. EBoldOperationFailedForObjectList 5
  2. EAccessViolation 3
  3. EInvalidCast 7

Is it possible to get such list from Splunk or maybe a graph ?

Regards

Roland
Team Attracs

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

howyagoin
Contributor
‎05-01-2011 02:08 AM

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]"

But I'm horrible with RegEx.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

howyagoin
Contributor
‎05-01-2011 02:08 AM

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]"

But I'm horrible with RegEx.

0 Karma
Reply
Solved! Jump to solution

Bero
New Member
‎05-01-2011 12:51 PM

Im really impressed of what Splunk can do with some knowledge 🙂 Anyway this is want I want. Thanks!!!

0 Karma
Reply
Solved! Jump to solution

JSapienza
Contributor
‎04-29-2011 06:19 AM

Sounds like you need to do a field extraction for the Exceptions :

http://www.splunk.com/base/Documentation/4.2.1/Knowledge/Addfieldsatsearchtime

Then you can drill down and perform counts based on field with the stats command:

http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Stats

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...