Hi Everyone,
I have created the below query in Splunk to fetch the Error messages
index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count
I observe that for particular Error message like below:
[reactor-http-epoll-4,cd5411f55ef5b309d8c4bc3f558e8af2,269476b43c74118e,01] reactor.core.publisher.Operators - Operator called default onErrorDropped
Count is coming as 42.Although the Event with this Error Messages are 13 only.
I want to know is this the problem with cluster_count .
How the cluster is working in splunk. Is my query taking cluster_count instead of actual counts.
Can someone guide me on this.
The cluster command uses somewhat "fuzzy" matching so non-identical events may be counted together. To get a precise count, use the eventstats command.
index=abc ns=blazegateway-c2 CASE(ERROR)
| rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"
| eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| eventstats count as Count by Error_Message
| table app_name, Error_Message, Count, Time, environment, pod_name, ns
| dedup Error_Message
| rename app_name as APP_NAME, environment as Environment, pod_name as Pod_Name
Just want to understand why cluster count messages count is coming 42+.
I want to combine the similar messages that is why I have used cluster count .
Can you guide me on the same
As I said in my first reply, the cluster command is "fuzzy". It groups similar events rather than identical events. Since we don't know the exact algorithm it uses, your count of events is likely to be different.
Use a higher value of t (the default is 0.8) to have the events be more similar.
I have attached the screenshot I am getting count as 361 with the below query
index=abc ns=blazegateway-c2 CASE(ERROR)|rex field=_raw "(?<!LogLevel=)ERROR(?<Error_Message>.*)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")| cluster showcount=t t=0.3|table app_name, Error_Message ,cluster_count,_time, environment, pod_name,ns |dedup Error_Message| rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name, cluster_count as Count
when I am clicking on count 361 its not showing anything.
I want to check what are the events for 361 count.
Please guide me on the same.
I'm pretty sure you can't drill down on cluster results.