Splunk Search

find # of exceptions/errors for a given sourcetype

seanlon11
Path Finder

I am trying to create a table (and then a report) of all exceptions/errors that occur for a given sourcetype.

The primary problem (i suspect) is that I am not doing a count on a given field. The reason for this is that there is nothing common to extract that I can see so far because there are no key-value pairs when it comes to errors/exceptions.

My query looks like:

eventtype="all_web" (error OR exception) | chart count(events) as eventsBySourceTypeCnt by sourcetype | table sourcetype eventsBySourceTypeCnt

I didn't think counting on "events" was going to work, but I had to start somewhere.

Some of the data returned would by just the first portion of the query would be:

  • commitCloseConnection - [18 Nov 2010 16:49:16,434] - ERROR [Default : 1617] PolarisDAO.java:190) - A java.lang.NullPointerException occurred - no detail available.
  • [11/18/10 16:49:22:214 CST] 0000237b SystemErr R java.io.FileNotFoundException: /favicon.ico

Any ideas what I can do here to count just the events? It would be nice to know how many NullPointerExceptions, Errors, or FileNotFoundExceptions there are per sourcetype, but I don't think I'm to that point yet.

Thanks, Sean

Tags (3)
0 Karma
1 Solution

southeringtonp
Motivator

So is the goal to get a table containing each sourcetype and the number of error events?

eventtype="all_web" (error OR exception) | stats count by sourcetype

If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:

In eventtypes.conf (or configure via the manager):

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException

Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:

eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType

View solution in original post

southeringtonp
Motivator

So is the goal to get a table containing each sourcetype and the number of error events?

eventtype="all_web" (error OR exception) | stats count by sourcetype

If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:

In eventtypes.conf (or configure via the manager):

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException

Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:

eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType

seanlon11
Path Finder

Thanks for the info.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...