Splunk Search
Highlighted

find # of exceptions/errors for a given sourcetype

Path Finder

I am trying to create a table (and then a report) of all exceptions/errors that occur for a given sourcetype.

The primary problem (i suspect) is that I am not doing a count on a given field. The reason for this is that there is nothing common to extract that I can see so far because there are no key-value pairs when it comes to errors/exceptions.

My query looks like:

eventtype="all_web" (error OR exception) | chart count(events) as eventsBySourceTypeCnt by sourcetype | table sourcetype eventsBySourceTypeCnt

I didn't think counting on "events" was going to work, but I had to start somewhere.

Some of the data returned would by just the first portion of the query would be:

  • commitCloseConnection - [18 Nov 2010 16:49:16,434] - ERROR [Default : 1617] PolarisDAO.java:190) - A java.lang.NullPointerException occurred - no detail available.
  • [11/18/10 16:49:22:214 CST] 0000237b SystemErr R java.io.FileNotFoundException: /favicon.ico

Any ideas what I can do here to count just the events? It would be nice to know how many NullPointerExceptions, Errors, or FileNotFoundExceptions there are per sourcetype, but I don't think I'm to that point yet.

Thanks, Sean

Tags (3)
0 Karma
Highlighted

Re: find # of exceptions/errors for a given sourcetype

Motivator

So is the goal to get a table containing each sourcetype and the number of error events?

eventtype="all_web" (error OR exception) | stats count by sourcetype

If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:

In eventtypes.conf (or configure via the manager):

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException

Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:

eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType

View solution in original post

Highlighted

Re: find # of exceptions/errors for a given sourcetype

Path Finder

Thanks for the info.

0 Karma