Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to sort different error strings in one log file?

Bergans
Engager
‎08-20-2014 12:07 AM

Hi,
I'm currently importing log-files into Splunk, to monitor the different kind of Errors that passes through the system that are monitored.
Up to now I've only searched for the string 'ERROR' in each log file. Since a log file may contain many different kind of errors, the result is that many kind of Errors are presented together. I would like to sort/group the different kind of errors in one diagram.

The search as today is as follows (for one of the log-files)

ERROR source="/home/logs/DataTransferService.log"

The result would then consist of many different ERROR messages, similar to these three (as an example):

2014-08-19 12:00:00,394 [pool-1-thread-1] ERROR - Unexpected error com.eMeter.PIPe.datatransferservice.exception.DTSRuntimeException:…

2014-08-19 11:20:01,815 [pool-1-thread-4] ERROR - Invalid date. java.lang.NullPointerException:…

2014-08-19 11:20:01,814 [pool-1-thread-4] ERROR - SDP lookup failed [null]: id to load is required for loading [Additional Information:…
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-20-2014 01:48 AM

Well, it's not entirely clear what you want to achieve. Sorting and grouping is usually performed on fields. Say that you want to group all errors on the type of error ("Unexpected error", "Invalid date" or "SDP lookup failed" in your example), you need to extract this part of the message as a field (let's call it errType) and whatever comes after it is extracted as errMsg. This can be done in config files or inline in the search query. We'll do the latter here. 

ERROR source="/home/logs/DataTransferService.log" 
| rex "\sERROR\s-\s(?<errType>[^\.\r\n:]+)(?<errMsg>.*)"
| eval niceTime = strftime(_time, "%F %T")
| stats list(niceTime) list(errMsg) by errType

This should result in an output like

Unexpected Error        2014-06-20 11:22:23     com.eMeter.PIPe.datatransferblahblahblahb
                        2014-06-21 12:23:34     some.other.errormessage
Invalid date            2014-06-23 22:32:21     Blah Blah Blah error

and so forth. Maybe something like that is what you're looking for?

/K

View solution in original post

Reply
Solved! Jump to solution

Bergans
Engager
‎08-20-2014 02:52 AM

No, the Errors may be identified by 'ERROR - '*

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-20-2014 01:48 AM

Well, it's not entirely clear what you want to achieve. Sorting and grouping is usually performed on fields. Say that you want to group all errors on the type of error ("Unexpected error", "Invalid date" or "SDP lookup failed" in your example), you need to extract this part of the message as a field (let's call it errType) and whatever comes after it is extracted as errMsg. This can be done in config files or inline in the search query. We'll do the latter here. 

ERROR source="/home/logs/DataTransferService.log" 
| rex "\sERROR\s-\s(?<errType>[^\.\r\n:]+)(?<errMsg>.*)"
| eval niceTime = strftime(_time, "%F %T")
| stats list(niceTime) list(errMsg) by errType

This should result in an output like

Unexpected Error        2014-06-20 11:22:23     com.eMeter.PIPe.datatransferblahblahblahb
                        2014-06-21 12:23:34     some.other.errormessage
Invalid date            2014-06-23 22:32:21     Blah Blah Blah error

and so forth. Maybe something like that is what you're looking for?

/K

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-20-2014 05:10 AM

btw, if you're NOT doing the stats list(niceTime) part, you can skip the preceding eval niceTime strftime(_time, "%F %T") as well.

EDIT : missing "NOT"
/k

Reply
Solved! Jump to solution

Bergans
Engager
‎08-20-2014 03:33 AM

Thanks a lot @kristian.kolb,
I see that I was a bit unclear about what really wanted to achieve. I changed your last part:

| stats list(niceTime) list(errMsg) by errType"

with:

| timechart span=1d count by errType usenull=f

Then I got exactly what I needed.
Now I got a sorted list of the different kind of errors, and a visualized graphical view.

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎08-20-2014 01:41 AM

Can we consider the following as error messages
Unexpected error com.eMeter.PIPe.datatransferservice.exception.DTSRuntimeException
Invalid date. java.lang.NullPointerException
SDP lookup failed [null]

Means, all error messages start after - and end before :

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...