Refine your search:

find # of exceptions/errors for a given sourcetype

0

I am trying to create a table (and then a report) of all exceptions/errors that occur for a given sourcetype.

The primary problem (i suspect) is that I am not doing a count on a given field. The reason for this is that there is nothing common to extract that I can see so far because there are no key-value pairs when it comes to errors/exceptions.

My query looks like:

eventtype="all_web" (error OR exception) | chart count(events) as eventsBySourceTypeCnt by sourcetype | table sourcetype eventsBySourceTypeCnt

I didn't think counting on "events" was going to work, but I had to start somewhere.

Some of the data returned would by just the first portion of the query would be:

  • commitCloseConnection - [18 Nov 2010 16:49:16,434] - ERROR [Default : 1617] PolarisDAO.java:190) - A java.lang.NullPointerException occurred - no detail available.
  • [11/18/10 16:49:22:214 CST] 0000237b SystemErr R java.io.FileNotFoundException: /favicon.ico

Any ideas what I can do here to count just the events? It would be nice to know how many NullPointerExceptions, Errors, or FileNotFoundExceptions there are per sourcetype, but I don't think I'm to that point yet.

Thanks, Sean

asked 18 Nov '10, 22:54

seanlon11's gravatar image

seanlon11
2131221
accept rate: 25%

One Answer:
oldestnewestmost voted
1

So is the goal to get a table containing each sourcetype and the number of error events?

eventtype="all_web" (error OR exception) | stats count by sourcetype

If you need more granularity, remember that eventtypes can be nested, so one approach would be to simply create a set of new eventtypes, then chart by eventtype. For example:

In eventtypes.conf (or configure via the manager):

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) FileNotFoundException

[webapp-error-FileNotFoundException]
eventtype="all_web" (error OR exception) NullPointerException

Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table:

eventtype="webapp-error-*"
| eval errorType = mvfilter(eventtype LIKE "webapp-error-%")
| stats count by sourcetype, errorType
link

answered 18 Nov '10, 23:22

southeringtonp's gravatar image

southeringtonp ♦
4.9k2524
accept rate: 35%

Thanks for the info.

(19 Nov '10, 19:59) seanlon11
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×248
×167
×138

Asked: 18 Nov '10, 22:54

Seen: 756 times

Last updated: 18 Nov '10, 23:22

Related questions

cannot find sourcetype squid

Identifying "idle" sources

Find the common/same source ip (src) across several hosts with same sourcetype

Stats Count with Moving AVG for a given time

Limit search results to a sourcetype

Count Sourcetype by Day

How to determine the average size of my indexed events?

find broken events

Recognising individual events

Copyright © 2005-2012 Splunk Inc. All rights reserved.