Solved: Re: how to get the count of different ErrorID's fr...

iqbalintouch · ‎10-10-2020

Hello splunk users,

Can someone help me with a solution? I am running my base search query to see the error in response, but the error id coming in the response is not showing as a field so I am not able to generate a timechard for all the different errors/error id's.

I need your help on this, since I am very weak in using rex command I can't think a solution at my own:

Base search query:- ("Unexpected partner error.." OR "Timeout occurred waiting for response from Fulfillment - java.net.SocketTimeoutException: Read timed out") GenerateBookingResponse ERROR source="/var/log/myapp/electronic-purchase-service/electronic-purchase-service.log"

Below is the sample of error response. Every error is having a unique errorid associated with it:

2019-01-10 19:39:21.454 [https-jsse-nio-8080-exec-10] [hdhdhda704-4444-44a1-bbbb-52857lllcd1d] INFO EndpointLogger - endpoint=my-endpoint; operation=createOrder; duration=4517, response=<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns3:GenerateBookingResponse xmlns:ns1="urn:myworld:dom:common:defn:v1" xmlns:ns10="urn:myworld:dm:hhhhh:hhhhh:define:v1" xmlns:ns11="urn:myworld:dom:supply:messages:defn:v1" xmlns:ns12="urn:myworld:dom:vvvv:datatype:define:v1" xmlns:ns13="urn:myworld:c3:data:placetypes:defn:v4" xmlns:ns14="urn:myworld:c3:data:messagetypes:defn:v5" xmlns:ns2="urn:myworld:ddom:datatype:define:v1" xmlns:ns3="urn:myworld:dom:order:messages:v1" xmlns:ns4="urn:myworld:ord:order:persisttypes:v2" xmlns:ns5="urn:myworld:c3:data:financetypes:define:v5" xmlns:ns6="urn:myworld:c3:data:financetypes:defn:v4" xmlns:ns7="urn:myworld:c3:data:basetypes:defn:v4" xmlns:ns8="urn:myworld:c3:data:timetypes:define:v4"><ns1:MessageInfo CreateDateTime="2019-01-10T19:39:16.935-07:00" MessageGUID=“0102037-048a-49a9-08u5-2222ba059e2a" TransactionGUID=“11111111-ac11-1a11-22d7-eb1a2c333333><ns1:DebugTraceBoolean>false</ns1:DebugTraceBoolean></ns1:MessageInfo><ns1:MessageStatus><ns1:Status>Failure</ns1:Status><ns1:ErrorList><ns1:Error><ns1:MessageTransactionInfo><ns1:Category>ExternalError</ns1:Category><ns1:Code>0000</ns1:Code><ns1:Description>Unexpected partner error..</ns1:Description><ns1:Namespace>urn:myworld:c3:ss:electronic:digitalinterface:purchasecommontypes:define:v2</ns1:Namespace><ns1:ExternalErrorList><ns1:ExternalError><ns1:ExternalErrorID>10007</ns1:ExternalErrorID><ns1:ExternalErrorDescription>Unexpected partner error..</ns1:ExternalErrorDescription></ns1:ExternalError></ns1:ExternalErrorList></ns1:MessageTransactionInfo></ns1:Error></ns1:ErrorList></ns1:MessageStatus><ns1:MobileOrderProcessRelationNO>ab7cdc43-f8a6-4cdf-0000-33t4f530u65a</ns1:MobileOrderProcessRelationNO></ns3:GenerateBookingResponse></soap:Body></soap:Envelope>

I need to generate a timechart based on the error or error ID.

thanks a lot in advance.

ITWhisperer · ‎10-11-2020

| xmlkv
| stats count by ns1:ExternalErrorID

View solution in original post

ITWhisperer · ‎10-11-2020

| xmlkv
| stats count by ns1:ExternalErrorID

iqbalintouch · ‎10-11-2020

@ITWhisperer hi,

this worked, thank you. Can I use this anywhere, if error log are similar?

inventsekar · ‎10-11-2020

Yes, xmlkv does exactly that. The xmlkv command automatically extracts key-value pairs from XML-formatted data

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Xmlkv

how to get the count of different ErrorID's from application log

field extraction

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes