I have the following search queries:       API Error Alert --------------- index=myindex sourcetype=my-app:app |spath message | regex message="^.*Error while creating account.*$" |dedup my_id_field API Down Alert --------------- index=myindex sourcetype=my-app:app | spath message | regex message="^.*api-down.*$" | dedup my_id_field Update API Error ------------------ index=myindex sourcetype=my-app:app | spath message | regex message="^.*Error while updating trial account.*$" | dedup my_id_field        I have some more of the same kind. It is checking against multiple messages using. regular expressions. Now I would like to create an email alert for all these events and would like combine all these into one query and so I can create a single alert rather than creating individual alerts. How can I combine these queries ? It should trigger the email alert if any of these conditions is true. I have tried the following, but it is not working.        index=myindex sourcetype=my-app:app |spath message | regex message="^.*Error while creating account.*$" | regex message="^.*api-down.*$"|regex message="^.*Error while updating trial account.*$" |regex message="^.*JWT Token creation failed with error.*$" |regex message="^.*Error while fetching IPLookU.*$"       ... View more

I have error messages in the following formats     { "level":"error", "message":"Log: \"error in action {\\\"status\\\":\\\"error\\\",\\\"message_error\\\":\\\"blacklisted\\\"}\"", "timestamp":"2021-09-27T16:39:07-04:00" }     and     { "level":"error", "message":"Log: \"error in action \\\"&lt;HTML&gt;&lt;HEAD&gt;\\\\n&lt;TITLE&gt;Service Unavailable&lt;/TITLE&gt;\\\\n&lt;/HEAD&gt;&lt;BODY&gt;\\\\n<h1>Service Unavailable - Zero size object</h1>\\\\nThe server is temporarily unable to service your request. Please try again\\\\nlater.<p>\\\\nReference&#32;&#35;15\\\\n&lt;/BODY&gt;&lt;/HTML&gt;\\\\n\\\"\"", "timestamp":"2021-09-26T23:12:25-04:00" }     Now I am creating a dashboard for displaying the overall error counts for a period of time. The following query gives me the count based on the message_error.     index=my_index_name sourcetype=my_source_type_name:app | spath message | regex message="^.*error in action.*$" | eval error_json=replace(ltrim(message, "Log: \"error in action"),"\\\\\"","\"") | spath input=error_json output=error_message path=message_error | top error_message     As what I am doing is JSON parsing, it is not applicable for the second type of error message. This is basically HTML after the common error string. I would like to print the count for this error along with the counts of the errors which belong to the first group. For the first group of errors, by using the above query, I am getting the following result error_message count blacklisted 10 captcha error 9 Internal Server Error 8   What I need is error_message count blacklisted 10 captcha error 9 Internal Server Error 8 Service Unavailable 5   That is I need to show the count of errors even if it is not in the JSON format. Both the errors start with the common string "Log: error in action".  If I use another query like :     index=my_index_name sourcetype=my_source_type_name:app | spath message | regex message="^.*Service Unavailable - Zero size object.*$"| stats count as error_count     it will give the count. But first I want to combine the results and show them as a single result and second the above query is limited for a specific error message. So I would like to show a part of the message after "Log: error in action", if it is not in JSON format and the corresponding count. I am new to Splunk and It will be very much helpful if someone can point out the solution for this.  ... View more

I have the following query and I am using it in a dashboard to show the errors categorized.  index=myindex sourcetype=mysource_type:app | spath message | regex message="^.*error creating account.*$$"|top message Now, this is working, but it is showing the complete messages. The error messages have the following format most of the time: message: Log: "error creating account {\"status\":\"error\",\"message\":\"Error while creating account, 500 - Internal Server Error\"}" Now when the stats table is displayed. I would like to show only the message part from this error message, that is it only needs to show Error while creating an account, 500 - Internal Server Error.  It will be very much helpful someone can point out how I can do this? ... View more

I have the following scenario where duplicate accounts has been created for a transaction id value. I would like to count how many duplicates has been created and list it as a table. I compare the message with a string, which indicates the successful creation of the account. The current query is as follows:   index=myindex sourcetype=mysourcetype | spath message | search message="Account Created Successfully" |stats count by transactionId   I have the following format for logs   { level: info message: Account Created Successfully timestamp: 2021-08-02T05:58:44-04:00 transactionId: 100200300 }     The above search query is not giving me the correct counts. I manually checked the logs for the transaction ID, but the `stats` count is wrong. How can I modify the query to get accurate counts ? ... View more