- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- I need to add filter to error query into total tra...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, i need to add filter to error query into total transaction query so that i can get filtered error counts as well as total transaction in two column with service name
This below query i am using to get total transaction and total errors
index="iss" Environment=PROD
| where Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87")
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(level="ERROR", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name
| eval Total_Transaction = (Total_Successes+Total_Errors)
| fields service_name, Total_Transaction, Total_Errors, Total_Successesi need to add search filter into errors so that it will only count those filtered errors not all errors and merge this below query into above one in err_flag line
index="iss" Environment=PROD "Invalid JS format" OR ":[down and unable to retrieve response" OR "[Unexpected error occurred" OR ": [An unknown error has occurred" OR "exception" OR OR IN THE SERVICE" OR "emplateErrorHandler : handleError :" OR "j.SocketException: Connection reset]" OR "Power Error Code" OR "[Couldn't kickstart handshaking]" OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject" OR "processor during S call" OR javx OR "Error while calling" OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large" NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null" NOT "igests data" NOT "characters" NOT "Asset type" NOT "Inputs U" NOT "[null" NOT "Invalid gii"
Please help me it would be wonderful, Thankyou
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to your first search, whether an event is counted as error is solely determined by a field named level, and only when its value is "ERROR" do you consider the event an error. Is this correct? All you need to do is to literally combining this criterion and the filters in the second with OR logic. Something like
index="iss" Environment=PROD Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87")
( ("Invalid JS format" OR ":[down and unable to retrieve response"
OR "[Unexpected error occurred" OR ": [An unknown error has occurred"
OR "exception" OR "IN THE SERVICE" OR "emplateErrorHandler : handleError :"
OR "j.SocketException: Connection reset]" OR "Power Error Code"
OR "[Couldn't kickstart handshaking]"
OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject"
OR "processor during S call" OR javx OR "Error while calling"
OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large"
NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null"
NOT "igests data" NOT "characters" NOT "Asset type"
NOT "Inputs U" NOT "[null" NOT "Invalid gii"
) OR level!=ERROR)
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(level="ERROR", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name
| eval Total_Transaction = (Total_Successes+Total_Errors)
| fields service_name, Total_Transaction, Total_Errors, Total_SuccessesNote I removed the "| where" command in the first because it is more efficient to place the simple filter as a search filter. I also corrected a syntax error in the second from OR OR IN THE SERVICE" to OR "IN THE SERVICE". If any of these changes semantics, make adjustments. Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to your first search, whether an event is counted as error is solely determined by a field named level, and only when its value is "ERROR" do you consider the event an error. Is this correct? All you need to do is to literally combining this criterion and the filters in the second with OR logic. Something like
index="iss" Environment=PROD Appid IN ("APP-61", "APP-85", "APP-69", "APP-41", "APP-57", "APP-71", "APP-50", "APP-87")
( ("Invalid JS format" OR ":[down and unable to retrieve response"
OR "[Unexpected error occurred" OR ": [An unknown error has occurred"
OR "exception" OR "IN THE SERVICE" OR "emplateErrorHandler : handleError :"
OR "j.SocketException: Connection reset]" OR "Power Error Code"
OR "[Couldn't kickstart handshaking]"
OR "[Remote host terminated the handshake]" OR "Caused by:[JNObject"
OR "processor during S call" OR javx OR "Error while calling"
OR level="ERROR" NOT "NOT MATCH THE CTRACT" NOT "prea_too_large"
NOT g-500 NOT G-400 NOT "re-submit the request" NOT "yuu is null"
NOT "igests data" NOT "characters" NOT "Asset type"
NOT "Inputs U" NOT "[null" NOT "Invalid gii"
) OR level!=ERROR)
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(level="ERROR", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as Total_Errors, sum(success_flag) as Total_Successes by service_name
| eval Total_Transaction = (Total_Successes+Total_Errors)
| fields service_name, Total_Transaction, Total_Errors, Total_SuccessesNote I removed the "| where" command in the first because it is more efficient to place the simple filter as a search filter. I also corrected a syntax error in the second from OR OR IN THE SERVICE" to OR "IN THE SERVICE". If any of these changes semantics, make adjustments. Hope this helps.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
