Hi, I am newbie to Splunk.
Here's some of my sample logs, where I need to count the number of occurrences for each of these exceptions. Also I would like to build a Panel that gives me these Unique (in Bold below) occurrences.
org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.
DEBUG org.mule.module.xml.filters.SchemaValidationFilter - SchemaValidationFilter rejected a message because it apparently failed to validate against the schema.
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value 'West Virginia Mountaineer No Color Yth XL Youth Girls CO3 Judo Flee' with length = '67' is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.
This is what I have written so far:
index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)" | timechart span=1d count by to
The problem that I have is when I put it in Panel, event though it shows the counts but it still shows "Count" as NULL and when I try to drill through it, it doesn't show any logs (until I clear out the bold text below)
index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)" | **search to=NULL**
So please help me how can I find all these unique "exception strings" and also how can I make sure that my count doesn't show Null and when I click on the drill through in panel the search works fine.
Assuming your intention was to catch the red pieces
from this log line:
org.xml.sax.SAXParseException: cvc-maxLength-valid: Value Georgia Tech Yellow Jacke Heather Navy S Interbay Melange Stripe P' with length = '66'
is not facet-valid with respect to maxLength '65' for type '#AnonType_DescriptionItemMessagetXML'.
How about you give this a try so that first text of interest gets caught in field from
and second text of interest gets caught in field to
, as is done in below query:
index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*"
| rex field=_raw ".*cvc-maxLength-valid:\sValue\s(?<from>.*)\sis not facet-valid with respect to maxLength '65'for type (?<to>.*)"
| timechart span=1d count by to useother=f usenull=f
Hope it helps! See extration here
karanvirsharma,
You have three options here:
[my_sourcetype]
EXTRACT-from_to = SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?.*) is not facet-valid with respect to maxLength '65'(?.*)
This will cause the field to be automatically extracted.
2. Replace your < and > with the encoded version (< == < and > == >)
3. Utilize CDATA for the search in the XML:
<param name="search"><![CDATA[ index=Mule source = "*item-subscriber-manhattan*" "*is not facet-valid with respect to maxLength '65' for type*" | rex field==_raw "SchemaValidationFilter rejected a message because it apparently failed to validate against the schema. org.xml.sax.SAXParseException: cvc-maxLength-valid: Value (?<from>.*) is not facet-valid with respect to maxLength '65'(?<to>.*)" | timechart span=1d count by to]]></param>
Hope this helps!