Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to compare two weeks errors, and highlight any new errors?

uagraw01
Builder
‎10-20-2022 02:34 AM

Hello Splunkers !!

 

Last week Current week New Error 
"enableEnhancedCheckout"  "enableEnhancedCheckout"  "error_in_python_script"
  "error_in_python_script"  

 

Above is the use case I have, In which I want to compare two week errors. And if any new error introduced then I want to highlight that error.  Below is the SPL I have used so far. Please let me know what I need to correct in below query and How can I achieve, if you have any other approach.

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=case(now()-_time<604800,"Current_Week",_time>604800, "Last_Week")
| stats dc(Week) AS Week_count values(Week) AS Week by Error_Exception
| eval Error_Status=if(Week_count=2,"Both Weeks",Week)
| eval Difference1= abs(tonumber(Last_Week) - tonumber(Current_Week))
| stats count by Difference1
| fields - count
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2022 03:14 AM

Hi @uagraw01,

let me understand: you want to list the new errors in the current week respsct the previous week, is this correct?

if this is yur need, your search is almost correct but not the last three statements.

to list the new errors you need something like this:

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex "Error:(?<Error2>.+)"
| rex "(?<ErrorM>Error in template script)+"
| rex "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=if(now()-_time<604800,"Current_Week","Last_Week")
| stats dc(Week) AS Week_count values(Week) AS Week by Error_Exception
| where Week_count=1 AND Week="Current_Week"
| table Error_Exception

If instead you want to have three columns as the table you shared, you should try something like this:

 

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex "Error:(?<Error2>.+)"
| rex "(?<ErrorM>Error in template script)+"
| rex "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=if(now()-_time<604800,"Current_Week","Last_Week")
| stats 
   dc(Week) AS Week_count 
   values(Week) AS Week 
   BY Error_Exception
| eval Week=if(Week_count=2,"Both",Week)
| stats 
   values(eval(if(Week_count=2 OR Week="Last_Week",Error_Exception,"") AS "Last_Week"
   values(eval(if(Week_count=2 OR Week="Current_Week",Error_Exception,"") AS "Current_Week"
   values(eval(if(Week="Current_Week",Error_Exception,"") AS "New Error"

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2022 03:14 AM

Hi @uagraw01,

let me understand: you want to list the new errors in the current week respsct the previous week, is this correct?

if this is yur need, your search is almost correct but not the last three statements.

to list the new errors you need something like this:

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex "Error:(?<Error2>.+)"
| rex "(?<ErrorM>Error in template script)+"
| rex "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=if(now()-_time<604800,"Current_Week","Last_Week")
| stats dc(Week) AS Week_count values(Week) AS Week by Error_Exception
| where Week_count=1 AND Week="Current_Week"
| table Error_Exception

If instead you want to have three columns as the table you shared, you should try something like this:

 

Index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex "Error:(?<Error2>.+)"
| rex "(?<ErrorM>Error in template script)+"
| rex "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=if(now()-_time<604800,"Current_Week","Last_Week")
| stats 
   dc(Week) AS Week_count 
   values(Week) AS Week 
   BY Error_Exception
| eval Week=if(Week_count=2,"Both",Week)
| stats 
   values(eval(if(Week_count=2 OR Week="Last_Week",Error_Exception,"") AS "Last_Week"
   values(eval(if(Week_count=2 OR Week="Current_Week",Error_Exception,"") AS "Current_Week"
   values(eval(if(Week="Current_Week",Error_Exception,"") AS "New Error"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

uagraw01
Builder
‎10-20-2022 03:49 AM

@gcusello  Thanks for your valuable inputs. I have corrected the parenthesis.

| stats values(eval(if(Week_count=2 OR Week="Last_Week",Error_Exception,""))) AS "Last_Week" values(eval(if(Week_count=2 OR Week="Current_Week",Error_Exception,""))) AS "Current_Week" values(eval(if(Week="Current_Week",Error_Exception,""))) AS "New Error"

In production enevironment it is taking so much time to retreive the results. Can we put any mechanism where we can compare last 10 errors only to optimize the results?

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2022 04:05 AM

Hi @uagraw01,

the stats command is usually very quick, even if there are some eval!

Could you share your full search, maybe there's something to optimize.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

uagraw01
Builder
‎10-20-2022 04:08 AM

Below is my complete SPL ( excluding metadata fields )

("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=if(now()-_time<604800,"Current_Week","Last_Week")
| stats dc(Week) AS Week_count values(Week) AS Week BY Error_Exception
| eval Week=if(Week_count=2,"Both",Week)
| stats values(eval(if(Week_count=2 OR Week="Last_Week",Error_Exception,""))) AS "Last_Week" values(eval(if(Week_count=2 OR Week="Current_Week",Error_Exception,""))) AS "Current_Week" values(eval(if(Week="Current_Week",Error_Exception,""))) AS "New_Error"
| head 10

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2022 04:21 AM

Hi @uagraw01,

as I said, stats command is usually very quick even if there are some eval options.

At first add the index to the main search and you'll have better performaces.

Then, if you can add more filters (e.g. host or sourcetype) to your main search

I don't think that the "head 10" at the end of the search will save much time.

If you have very many events, you could schedule your search every night and save results in a summary index, then you can run your search on the summary index.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

uagraw01
Builder
‎10-20-2022 04:29 AM

@gcusello My results are look like as below. There are too many results. If you can filter out me only last top 10 unique new errors. How can I use the Approach.

uagraw01_0-1666265626104.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2022 05:31 AM

Hi @uagraw01,

it seems that there's an error in the first eval in stats, so please try this:

("ERROR" OR "EXCEPTION") earliest=-14d latest=now()
| rex field=_raw "Error\s(?<Message>.+)MulesoftAdyenNotification"
| rex field=_raw "fetchSeoContent\(\)\s(?<Exception>.+)"
| rex field=_raw "Error:(?<Error2>.+)"
| rex field=_raw "(?<ErrorM>Error in template script)+"
| rex field=_raw "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)"
| rex "service=(?<Service>[A-Za-z._]+)"
| rex "Sites-(?<Country>[A-Z]{2})"
| eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM)
| eval Week=if(now()-_time<604800,"Current_Week","Last_Week")
| stats dc(Week) AS Week_count values(Week) AS Week BY Error_Exception
| eval Week=if(Week_count=2,"Both",Week)
| stats values(eval(if(Week="Both" OR Week="Last_Week",Error_Exception,""))) AS "Last_Week" values(eval(if(Week="Both" OR Week="Current_Week",Error_Exception,""))) AS "Current_Week" values(eval(if(Week="Current_Week",Error_Exception,""))) AS "New_Error"

 then as I said, add index and eventually some other field to filter results.

In addition, Error_Exception has very long values, is it correct or is it possible to reduce them?

Ciao.

Giuseppe

Reply
Solved! Jump to solution

uagraw01
Builder
‎10-20-2022 05:36 AM

@gcusello Thanks for correcting the SPL. Yes we can reduce them by using the substr.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2022 06:50 AM

Hi @uagraw01,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...