Splunk Search

find # of exceptions/errors for a given sourcetype

seanlon11
Path Finder

I am trying to create a table (and then a report) of all exceptions/errors that occur for a given sourcetype.

The primary problem (i suspect) is that I am not doing a count on a given field. The reason for this is that there is nothing common to extract that I can see so far because there are no key-value pairs when it comes to errors/exceptions.

My query looks like:

eventtype="all_web" (error OR exception) | chart count(events) as eventsBySourceTypeCnt by sourcetype | table sourcetype eventsBySourceTypeCnt

I didn't think counting on "events" was going to work, but I had to start somewhere.

Some of the data returned would by just the first portion of the query would be:

  • commitCloseConnection - [18 Nov 2010 16:49:16,434] - ERROR [Default : 1617] PolarisDAO.java:190) - A java.lang.NullPointerException occurred - no detail available.
  • [11/18/10 16:49:22:214 CST] 0000237b SystemErr R java.io.FileNotFoundException: /favicon.ico

Any ideas what I can do here to count just the events? It would be nice to know how many NullPointerExceptions, Errors, or FileNotFoundExceptions there are per sourcetype, but I don't think I'm to that point yet.

Thanks, Sean

Tags (3)
0 Karma
1 Solution

southeringtonp
Motivator

So is the goal to get a table containing each sourcetype and the number of error events?

eventtype="all_web" (error OR exception) | stats count by sourcetype

If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:

In eventtypes.conf (or configure via the manager):

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException

Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:

eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType

View solution in original post

southeringtonp
Motivator

So is the goal to get a table containing each sourcetype and the number of error events?

eventtype="all_web" (error OR exception) | stats count by sourcetype

If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:

In eventtypes.conf (or configure via the manager):

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException

Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:

eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType

seanlon11
Path Finder

Thanks for the info.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...