Re: Parse first/last error in an event

icyfeverr · ‎12-12-2013

I have an event that has multiple lines, it can have multiple Errors in the event and I need to query either the first or last error from the event. Does anyone know how to do this by chance? I am needing it for a chart to display errors, but the multiple codes are causing the numbers to be skewed.

icyfeverr · ‎12-17-2013

Correct, it is a multiline event using a regex to parse the Start and End on the indexer manually for a transaction in our system. I have stopped working on this piece due to the random number of errors that can be thrown, as there is no consistency.

dart · ‎12-16-2013

So you could use dedup to find the most recent event:

 sourcetype=foo | dedup error_code by host | timechart count by error_code

Does this give you what you need?

icyfeverr · ‎12-17-2013

I have stopped working on this piece due to the random number of errors that can be thrown, as there is no consistency. I appreciate the help, but will need to address at a later time after modifications to the logs can be done.

kristian_kolb · ‎12-12-2013

And this is an example of a single event, not six events?

... | rex "ERROR\]\s?(?<err_msg>[^\r\n]+)"

ought to work..

icyfeverr · ‎12-12-2013

[2010-08-12 11:54:56.281][ERROR] [ 4363 ] - User credentials are invalid.
[2010-08-12 11:54:56.281][ERROR]AuthResultUserUnknownException
[2010-08-12 11:54:56.281][ERROR] [ 4370 ] - User ****** is unknown. Auth result code = 15.
[2010-08-12 11:54:56.281][ERROR]AuthInterfaceException
[2010-08-12 11:54:56.281][ERROR] [ 4363 ] - User credentials are invalid.

lukejadamec · ‎12-12-2013

Can you post an example event?
That will make it easier to create a regex that will grab the first or last error in it.

Parse first/last error in an event

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?