Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to view my error name in where clause?

karthi2809
Builder
‎01-31-2018 10:32 PM

Now i am getting only count i need error messages and host

index=test "java.nio.channels.ClosedChannelException" |stats count |where count > 10

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-31-2018 11:12 PM

You can do that if you have a field in which error_message is already extracted. If it is not, then you have to manually extract it and then build a search query. If you can give me a sample event and tell what is the error message that you want to show then I can build a search query for you.

If the error message is specific i.e. java.nio.channels.ClosedChannelException

index=test "java.nio.channels.ClosedChannelException" 
| stats count by host 
| where count>10 
| eval error_message="java.nio.channels.ClosedChannelException"

let me know if this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-31-2018 11:12 PM

You can do that if you have a field in which error_message is already extracted. If it is not, then you have to manually extract it and then build a search query. If you can give me a sample event and tell what is the error message that you want to show then I can build a search query for you.

If the error message is specific i.e. java.nio.channels.ClosedChannelException

index=test "java.nio.channels.ClosedChannelException" 
| stats count by host 
| where count>10 
| eval error_message="java.nio.channels.ClosedChannelException"

let me know if this helps!

Reply
Solved! Jump to solution

493669
Super Champion
‎01-31-2018 10:38 PM

Try this:

index=test "java.nio.channels.ClosedChannelException" |stats count by error_messages, host|where count > 10
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...