I have the following splunk query:
search (...) AND ERROR
| rex field=error "^.*(?<vcbn>Value cannot be null.)$"
| stats count(vcbn) by error
but for whatever reason the stats count(vcbn) by error
isn't generating any results.
Additionally, the rex field=error "^.*(?<vcbn>Value cannot be null.)$"
isn't building a new field in the list on the left of the event search results.
The search itself returns 170 events
.
Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).
search (...) AND ERROR
| rex field=error "^.*(?<vcbn>Value cannot be null.)$"
| stats count by vcbn
please provide some sample log entries and the portion which have to be extracted as vcbn.
Start by displaying just the results of your search (everything before "rex") to make sure you're getting the events you think you're getting. Do you have a field called 'error'? If you want to capture the full stop at the end of the error message it should be escaped (.).
Try 'stats count(vcbn)
'. Since your search is only returning a single value, there is no grouping and so no use for a by
clause.
what do you get in vcbn? do you get all the values which you expect? And what i think you would like count on vcbn
rex "^.*(?
@richgalloway: got it, so after changing it up a bit to rex "^.*(?<vcbn>Value cannot be null.)$" | stats count(vcbn) by _raw
I get a graph - but it's empty. What might I have missed there? I've also noticed that the results listing no longer has these errors listed.
I thought that might be the case. The field
argument to the rex
command tells rex what field to parse. Results are put into fields created by the '?<vcbn>
' construct.
I don't get a field called error, I thought I was trying to make a field called error that pulled out that text and then get stats on it. However, I do get the results I'm expecting with just the search.