I am trying to create a table (and then a report) of all exceptions/errors that occur for a given sourcetype.
The primary problem (i suspect) is that I am not doing a count on a given field. The reason for this is that there is nothing common to extract that I can see so far because there are no key-value pairs when it comes to errors/exceptions.
My query looks like:
eventtype="all_web" (error OR exception) | chart count(events) as eventsBySourceTypeCnt by sourcetype | table sourcetype eventsBySourceTypeCnt
I didn't think counting on "events" was going to work, but I had to start somewhere.
Some of the data returned would by just the first portion of the query would be:
- commitCloseConnection - [18 Nov 2010 16:49:16,434] - ERROR [Default : 1617] PolarisDAO.java:190) - A java.lang.NullPointerException occurred - no detail available.
- [11/18/10 16:49:22:214 CST] 0000237b SystemErr R java.io.FileNotFoundException: /favicon.ico
Any ideas what I can do here to count just the events? It would be nice to know how many NullPointerExceptions, Errors, or FileNotFoundExceptions there are per sourcetype, but I don't think I'm to that point yet.
So is the goal to get a table containing each sourcetype and the number of error events?
eventtype="all_web" (error OR exception) | stats count by sourcetype
If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by
eventtype. For example:
In eventtypes.conf (or configure via the manager):
[webapp-error-FileNotFoundException] eventtype="all_web" (error OR exception) FileNotFoundException [webapp-error-FileNotFoundException] eventtype="all_web" (error OR exception) NullPointerException
Once you have the eventtypes defined, use
mvfilter to get rid of any extraneous eventtypes, and then create your table:
eventtype="webapp-error-*" | eval errorType = mvfilter(eventtype LIKE "webapp-error-%") | stats count by sourcetype, errorType