Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parse first/last error in an event

icyfeverr
Path Finder
‎12-12-2013 12:15 PM

I have an event that has multiple lines, it can have multiple Errors in the event and I need to query either the first or last error from the event. Does anyone know how to do this by chance? I am needing it for a chart to display errors, but the multiple codes are causing the numbers to be skewed.

Tags (2)
0 Karma
Reply

icyfeverr
Path Finder
‎12-17-2013 03:55 PM

Correct, it is a multiline event using a regex to parse the Start and End on the indexer manually for a transaction in our system. I have stopped working on this piece due to the random number of errors that can be thrown, as there is no consistency.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎12-16-2013 06:11 AM

So you could use dedup to find the most recent event:

 sourcetype=foo | dedup error_code by host | timechart count by error_code

Does this give you what you need?

0 Karma
Reply

icyfeverr
Path Finder
‎12-17-2013 03:56 PM

I have stopped working on this piece due to the random number of errors that can be thrown, as there is no consistency. I appreciate the help, but will need to address at a later time after modifications to the logs can be done.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-12-2013 01:00 PM

And this is an example of a single event, not six events? 

... | rex "ERROR\]\s?(?<err_msg>[^\r\n]+)"

ought to work..

0 Karma
Reply

icyfeverr
Path Finder
‎12-12-2013 12:41 PM

[2010-08-12 11:54:56.281][ERROR] [ 4363 ] - User credentials are invalid.
[2010-08-12 11:54:56.281][ERROR]AuthResultUserUnknownException
[2010-08-12 11:54:56.281][ERROR] [ 4370 ] - User ****** is unknown. Auth result code = 15.
[2010-08-12 11:54:56.281][ERROR]AuthInterfaceException
[2010-08-12 11:54:56.281][ERROR] [ 4363 ] - User credentials are invalid.

0 Karma
Reply

lukejadamec
Super Champion
‎12-12-2013 12:17 PM

Can you post an example event?
That will make it easier to create a regex that will grab the first or last error in it.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...