Solved: How to view my error name in where clause?

karthi2809 · ‎01-31-2018

Now i am getting only count i need error messages and host

index=test "java.nio.channels.ClosedChannelException" |stats count |where count > 10

mayurr98 · ‎01-31-2018

You can do that if you have a field in which error_message is already extracted. If it is not, then you have to manually extract it and then build a search query. If you can give me a sample event and tell what is the error message that you want to show then I can build a search query for you.

If the error message is specific i.e. java.nio.channels.ClosedChannelException

index=test "java.nio.channels.ClosedChannelException" 
| stats count by host 
| where count>10 
| eval error_message="java.nio.channels.ClosedChannelException"

let me know if this helps!

View solution in original post

mayurr98 · ‎01-31-2018

You can do that if you have a field in which error_message is already extracted. If it is not, then you have to manually extract it and then build a search query. If you can give me a sample event and tell what is the error message that you want to show then I can build a search query for you.

If the error message is specific i.e. java.nio.channels.ClosedChannelException

index=test "java.nio.channels.ClosedChannelException" 
| stats count by host 
| where count>10 
| eval error_message="java.nio.channels.ClosedChannelException"

let me know if this helps!

493669 · ‎01-31-2018

Try this:

index=test "java.nio.channels.ClosedChannelException" |stats count by error_messages, host|where count > 10

How to view my error name in where clause?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!