I am a relative new user of Splunk so I have only used basic search that works fine.
I'm a member of a team that maintenance a big Delphi application. That is deployed on 4 servers. If there is an exception in the application that is logged in a textfile.
This is an example how it could look like in the log:
20110429 14:39:07 (16616) [EXCEPTION] Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500) Inner Exception Raised EBoldOperationFailedForObjectList: Optimistic locking failed for the following 2 objects:Id: 119993351, Id: 119993879. At Location BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500) Call Stack:  BoldSystemPersistenceHandler.TBoldSystemPersistenceHandler.UpdateDatabaseWithList (BoldSystemPersistenceHandler.pas:500)  BoldSystem.TBoldSystem.UpdateDatabaseWithList (BoldSystem.pas:1868)  BoldSystem.TBoldSystem.UpdateDatabase (BoldSystem.pas:1860)  AttracsDBSync.TATSyncPersistenceHandle.DBSync (..\server\units\AttracsDBSync.pas:1071)  AttracsDBSync.TATSyncPersistenceHandle.SyncSystemWithDatabase (..\server\units\AttracsDBSync.pas:1131)  DMAttracs.TServerData.SyncSystemWithDatabase (..\server\code\DMAttracs.pas:467)  DMAttracs.TServerData.ApplicationEventsIdle (..\server\code\DMAttracs.pas:494)  AppEvnts.TCustomApplicationEvents.DoIdle (AppEvnts.pas:216)  Forms.TApplication.Idle (Forms.pas:8533)  Forms.TApplication.HandleMessage (Forms.pas:8124)
If I for example search for "[EXCEPTION]" I got a lot of hits like the one above. This is of type EBoldOperationFailedForObjectList but there are also many others.
Is there a way to count each typ of exception ?
For example if I have 15 exceptions today maybe 5 of those are EBoldOperationFailedForObjectList, 3 are EAccessViolation, 7 are EInvalidCast then I got this list:
Is it possible to get such list from Splunk or maybe a graph ?
Sounds like you need to do a field extraction for the Exceptions :
Then you can drill down and perform counts based on field with the stats command:
As JSapienza says, you want to do work with field extractions, but you can start with something like:
"EXCEPTION" | rex field=_raw "Raised (?<reason>\w+):" | chart count by reason
You can also play around with "| stats count by reason"
There is also no doubt a better way to express the RegEx, such as possibly:
rex field=_raw "Raised (?
But I'm horrible with RegEx.