Splunk Search
Highlighted

How to retrieve top 20 errors from all application logs

Explorer

All my application logs are 'indexed' as 'customer'_application. The below shows all my Events just fine

index = *_application sourcetype = * source = * host = *

The below shows all my errors/Errors in all the Events just fine

index = *_application sourcetype = * source = * host = * error

I know that error is not a field and it must be extracted first . Unfortunately I haven't succeeded with that.
Please note that all the different application-logs are not constructed (build) in the same way. The below gives me basically the desired setup, except that the 'error' message itself is missing.

index=*_application sourcetype=* source=* host=*  Error |  top limit=20 host sourcetype source

Is it even possible to achieve this or is certain log pattern (structure) a must. If this would be possible, how?

0 Karma
Highlighted

Re: How to retrieve top 20 errors from all application logs

Hi edwinmae,

I think that It is normal that the error message is missing ,because your results (index=*_application sourcetype=* source=* host=* Error | top limit=20 host sourcetype source) displayed in the form of table. you can click on Events tab to review
error in events.

Assure you that you are in Verbose mode before run your search query.

So no problem! Your result matches the events that contain the error message.

Note: Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .

Link for tag concept:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags

0 Karma
Highlighted

Re: How to retrieve top 20 errors from all application logs

Explorer

First of all --- Thanks for your quick response

The below gives me the desired output, except for the message itself
index=_application sourcetype= source=* host=* Error | top limit=20 host sourcetype source

I am able to see the log 'messages/events' (with Error) by clicking on the 'log-file (links)' listed under sourcetype (after the search), but I would like to have have an additional column like 'message' that shows me (only) the errors that occured most.

 index=*_application sourcetype=* source=* host=*  Error |  top limit=20 host sourcetype source message

I know there is no field like message; I tried to get the errors listed with rex but was unsuccessful to achieve this.

0 Karma
Highlighted

Re: How to retrieve top 20 errors from all application logs

Although all the different application-logs are not constructed in the same way, you can extract individually " error" message in each application and then use the tag concept to name them the same way .

0 Karma
Highlighted

Re: How to retrieve top 20 errors from all application logs

In this case, you will give message like the name of your tag

0 Karma
Highlighted

Re: How to retrieve top 20 errors from all application logs

This is because you search through many application-logs.

Follow link to have information about tag:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Defineandusetags

0 Karma