Splunk Search

How to group type of exceptions in the log ?

Bero
New Member

Hi!
I am a relative new user of Splunk so I have only used basic search that works fine.

Background:
I'm a member of a team that maintenance a big Delphi application. That is deployed on 4 servers. If there is an exception in the application that is logged in a textfile.
This is an example how it could look like in the log:

20110429 14:39:07 (16616) [EXCEPTION] Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Inner Exception Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
Call Stack:
    [00] BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)
    [01] BoldSystem.TBoldSystem.UpdateDatabaseWithList (BoldSystem.pas:1868)
    [02] BoldSystem.TBoldSystem.UpdateDatabase (BoldSystem.pas:1860)
    [03] AttracsDBSync.TATSyncPersistenceHandle.DBSync (..\server\units\AttracsDBSync.pas:1071)
    [04] AttracsDBSync.TATSyncPersistenceHandle.SyncSystemWithDatabase (..\server\units\AttracsDBSync.pas:1131)
    [05] DMAttracs.TServerData.SyncSystemWithDatabase (..\server\code\DMAttracs.pas:467)
    [06] DMAttracs.TServerData.ApplicationEventsIdle (..\server\code\DMAttracs.pas:494)
    [07] AppEvnts.TCustomApplicationEvents.DoIdle (AppEvnts.pas:216)
    [08] Forms.TApplication.Idle (Forms.pas:8533)
    [09] Forms.TApplication.HandleMessage (Forms.pas:8124)    

Question:
If I for example search for "[EXCEPTION]" I got a lot of hits like the one above. This is of type EBoldOperationFailedForObjectList but there are also many others.

Is there a way to count each typ of exception ?
For example if I have 15 exceptions today maybe 5 of those are EBoldOperationFailedForObjectList, 3 are EAccessViolation, 7 are EInvalidCast then I got this list:

  1. EBoldOperationFailedForObjectList 5
  2. EAccessViolation 3
  3. EInvalidCast 7

Is it possible to get such list from Splunk or maybe a graph ?

Regards

Roland
Team Attracs

Tags (1)
0 Karma
1 Solution

howyagoin
Contributor

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]" 

But I'm horrible with RegEx.

View solution in original post

0 Karma

howyagoin
Contributor

As JSapienza says, you want to do work with field extractions, but you can start with something like:

"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason

You can also play around with "| stats count by reason"

There is also no doubt a better way to express the RegEx, such as possibly:

 rex field=_raw "Raised (?\w+)[:]" 

But I'm horrible with RegEx.

0 Karma

Bero
New Member

Im really impressed of what Splunk can do with some knowledge 🙂 Anyway this is want I want. Thanks!!!

0 Karma

JSapienza
Contributor

Sounds like you need to do a field extraction for the Exceptions :

http://www.splunk.com/base/Documentation/4.2.1/Knowledge/Addfieldsatsearchtime

Then you can drill down and perform counts based on field with the stats command:

http://www.splunk.com/base/Documentation/4.2.1/SearchReference/Stats

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...