Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to sort different error strings in one log file?

Bergans
Engager
‎08-20-2014 12:07 AM

Hi,
I'm currently importing log-files into Splunk, to monitor the different kind of Errors that passes through the system that are monitored.
Up to now I've only searched for the string 'ERROR' in each log file. Since a log file may contain many different kind of errors, the result is that many kind of Errors are presented together. I would like to sort/group the different kind of errors in one diagram.

The search as today is as follows (for one of the log-files)

ERROR source="/home/logs/DataTransferService.log"

The result would then consist of many different ERROR messages, similar to these three (as an example):

2014-08-19 12:00:00,394 [pool-1-thread-1] ERROR - Unexpected error com.eMeter.PIPe.datatransferservice.exception.DTSRuntimeException:…

2014-08-19 11:20:01,815 [pool-1-thread-4] ERROR - Invalid date. java.lang.NullPointerException:…

2014-08-19 11:20:01,814 [pool-1-thread-4] ERROR - SDP lookup failed [null]: id to load is required for loading [Additional Information:…
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-20-2014 01:48 AM

Well, it's not entirely clear what you want to achieve. Sorting and grouping is usually performed on fields. Say that you want to group all errors on the type of error ("Unexpected error", "Invalid date" or "SDP lookup failed" in your example), you need to extract this part of the message as a field (let's call it errType) and whatever comes after it is extracted as errMsg. This can be done in config files or inline in the search query. We'll do the latter here. 

ERROR source="/home/logs/DataTransferService.log" 
| rex "\sERROR\s-\s(?<errType>[^\.\r\n:]+)(?<errMsg>.*)"
| eval niceTime = strftime(_time, "%F %T")
| stats list(niceTime) list(errMsg) by errType

This should result in an output like

Unexpected Error        2014-06-20 11:22:23     com.eMeter.PIPe.datatransferblahblahblahb
                        2014-06-21 12:23:34     some.other.errormessage
Invalid date            2014-06-23 22:32:21     Blah Blah Blah error

and so forth. Maybe something like that is what you're looking for?

/K

View solution in original post

Reply
Solved! Jump to solution

Bergans
Engager
‎08-20-2014 02:52 AM

No, the Errors may be identified by 'ERROR - '*

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-20-2014 01:48 AM

Well, it's not entirely clear what you want to achieve. Sorting and grouping is usually performed on fields. Say that you want to group all errors on the type of error ("Unexpected error", "Invalid date" or "SDP lookup failed" in your example), you need to extract this part of the message as a field (let's call it errType) and whatever comes after it is extracted as errMsg. This can be done in config files or inline in the search query. We'll do the latter here. 

ERROR source="/home/logs/DataTransferService.log" 
| rex "\sERROR\s-\s(?<errType>[^\.\r\n:]+)(?<errMsg>.*)"
| eval niceTime = strftime(_time, "%F %T")
| stats list(niceTime) list(errMsg) by errType

This should result in an output like

Unexpected Error        2014-06-20 11:22:23     com.eMeter.PIPe.datatransferblahblahblahb
                        2014-06-21 12:23:34     some.other.errormessage
Invalid date            2014-06-23 22:32:21     Blah Blah Blah error

and so forth. Maybe something like that is what you're looking for?

/K

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-20-2014 05:10 AM

btw, if you're NOT doing the stats list(niceTime) part, you can skip the preceding eval niceTime strftime(_time, "%F %T") as well.

EDIT : missing "NOT"
/k

Reply
Solved! Jump to solution

Bergans
Engager
‎08-20-2014 03:33 AM

Thanks a lot @kristian.kolb,
I see that I was a bit unclear about what really wanted to achieve. I changed your last part:

| stats list(niceTime) list(errMsg) by errType"

with:

| timechart span=1d count by errType usenull=f

Then I got exactly what I needed.
Now I got a sorted list of the different kind of errors, and a visualized graphical view.

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎08-20-2014 01:41 AM

Can we consider the following as error messages
Unexpected error com.eMeter.PIPe.datatransferservice.exception.DTSRuntimeException
Invalid date. java.lang.NullPointerException
SDP lookup failed [null]

Means, all error messages start after - and end before :

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...