Morez
Reputation: 2186
Splunk Query - Search unique exception from logs with counts
I want to search exceptions along with its occurrences. I would like see results in below format
|Exception Name |Count|
|NullPointerException| 2 |
|ConnectException | 6 |
|MailConnectException| 10 |
Logs looks like this -
- Caused by: java.lang.NullPointerException: null
- Caused by: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: localhost, 25; timeout -1
- Caused by: java.net.ConnectException: Connection refused (Connection refused)
Written below search query -
index="*zp0853-a*" container_name="test-api" "*Caused by*" (Showing all Exceptions list)
index="*zp0853-a*" container_name="test-api" "*Caused by*" | stats count (Showing only total counts)
Upvotes: 0
Views: 3755
Answers (2)
RichG
Reputation: 9906
To get counts for each exception you'll need to extract the exception name. I like to use rex for that.
index="*zp0853-a*" container_name="test-api" "*Caused by*"
| rex "by: (?<exception>[^:]+)"
| stats count by exception
Upvotes: 4
Raven
Reputation: 198
You should split the "_raw" with correct separator and mouve into the splitted with mvindex
eval exception=mvindex(split(_raw,":"),1)|stats count by exception
Upvotes: 1
Related Questions
- Splunk: search for “a first log that got printed, but the second was not printed”
- Splunk: Get a count of all occurrences of a string?
- How to find duplicate log events in Splunk
- Splunk: count by Id
- Splunk conditional distinct count
- Splunk: Matching an error log and obtaining the count of it
- How to count the total number of events in a splunk search result?
- splunk query for counting based on regex
- Splunk Query Count of Count
- How to get the number of "unique" request with splunk