Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Looking for a result each day in the week
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
In my base search I'm looking for stores with the minimum count of 1 for 4 differend kind of errors. I count the errors, put them in a xyseries table and filter them out - which works great.
Now i would like to know which stores on which day hit all the criterias.
-----------------------------------
Code
-----------------------------------
index=main host=*
(thrown NotFoundException:Not found) OR
(X-30056) OR
(Interceptor for tx_pool ITransactionPool has thrown exception, unwinding now) OR
(SocketTimeoutException Read Timeout)
| rex field=_raw "An accepted error occurred:.(?<exception>\w+-\d+):."
| rex field=_raw "SocketTimeoutException: R(?<exception>\w+.\w+)"
| rex field=_raw "serverDataState:.(?<exception>\w+.\w+)"
| rex field=_raw "Caused by: java.io.InterruptedIOException:.(?<exception>.*)"
| rex field=_raw "thrown NotFoundException:(?<exception>\w+.\w+)"
| eval ccc = cooperative+cost_center
| stats count by ccc exception
| xyseries ccc exception count
| search X-30056 > 0 AND "Read Timeout" > 0 AND "Not found" > 0 AND "Output operation aborted" > 0
-----------------------------------
Result
-----------------------------------
ccc X-30056 Not found Output operation aborted Read Timeout Read Timeout Read timed
0011111 339 6 12 193 364
0022222 620 4 1 640 992 1
0033333 588 4 7 2549 4956 1
What I would like to achieve is the following:
Date ccc
08/17/2021 0011111
08/18/2021 0022222
08/20/2021 0033333
I'm thankful for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
| eval ccc = cooperative+cost_center
| bin _time span=1d
| eval dataccc=strftime(_time,"%m/%d/%Y")."!".ccc
| stats count by dateccc exception
| xyseries dateccc exception count
| where 'X-30056' > 0 AND 'Read Timeout' > 0 AND 'Not found' > 0 AND 'Output operation aborted' > 0
| eval date=mvindex(split(dateccc,"!"),0)
| eval ccc=mvindex(split(dateccc,"!"),1)
| table date ccc- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
| eval ccc = cooperative+cost_center
| bin _time span=1d
| eval dataccc=strftime(_time,"%m/%d/%Y")."!".ccc
| stats count by dateccc exception
| xyseries dateccc exception count
| where 'X-30056' > 0 AND 'Read Timeout' > 0 AND 'Not found' > 0 AND 'Output operation aborted' > 0
| eval date=mvindex(split(dateccc,"!"),0)
| eval ccc=mvindex(split(dateccc,"!"),1)
| table date ccc- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer
When I use "dateccc" in the first eval it works. Thanks for the good suggestion!
The mvindex and split-commands are new for me - i'will digg deeper into those!
Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you try instead of stats to use:
| timechart count by ccc exception span=1d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes I think timechart only allows you to count one arugemnt
replace stats with your command gives me back the following error:
"Error in 'timechart' command: The argument 'exception' is invalid."
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
