Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tomcat sum counted statistic over all 6 Log Levels

sdohn
Explorer
‎05-14-2012 07:48 AM

Hi, I want to create a chart for my tomcat logs.
In result there should be a summarized countet statistic for the different log levels like INFO, DEBUG, WARN, ERROR, FATAL, TRACE
The statistic should be between a time frame like the last whole week and the last whole month.

My logs looks like this example:

INFO ;2012-04-11 08:37:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
DEBUG ;2012-04-12 09:72:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
WARN ;2012-04-13 10:34:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
ERROR ;2012-04-14 12:56:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
FATAL  ;2012-04-15 09:35:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms
TRACE ;2012-04-16 08:45:18,659;manny more ***;BEENDE HTTP/1.1 POST-Request - Zeit=2,698ms

What I get for the moment is a counted report from only lets say the INFO level like:

source="/opt/logs/radical-up.090909x.log" INFO | timechart sum(count) as "INFOSTATUS"

But how can I create a search which includes all other 5 remaining log levels and generates a nice summarized chart for me.

brgds. from sdohn

Tags (1)
0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎05-14-2012 07:55 AM

So, if INFO, DEBUG, WARN ERROR FATAL and TRACE are already being extracted i assume? If not, you should extract them with a field extraction and call them something like "STATUS".
Then you should be able to do | timechart sum(count) AS by STATUS

This should give you a nice little chart with the count of each event by the status code above..

0 Karma
Reply

sdohn
Explorer
‎05-18-2012 10:52 PM

Unfortunalety your example does not work for me.
Maybe I do not correctly interpret it.

source="websample.log" | timechart sum(count) AS < status="202" status="404" > by status

0 Karma
Reply

sdohn
Explorer
‎05-18-2012 10:43 PM

Hi thanks for your answer, for the moment your example does not work for me.
Lets work on a real example.

I've download this logfile:
http://innovato.com/splunk/websample.log

When I fire up this query I get the timechart where all available status codes will be sum
source="websample.log" status="*" | timechart sum(count)

But how to get a sum(count) timechart report where I can get a bar for lets say:
all status codes 200 bar in color green
all status codes 404 bar in color red
And all in one report

thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...