0

I have raw data which looks something like this :

[6/24/22 6:45:20:277 IST] 000005d4 Output     O abcd-ddd-dd.ppp1.ttttttt.net sys      2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null
[6/24/22 6:45:20:277 IST] 000005d4 Output     O abcd-ddd-dd.ppp1.ttttttt.net sys      2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 101 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2) null

I need help with the rex command which can filter all the messages with "Limoc Input : Exception occurred: 100" "Limoc Input : Exception occurred: 101" and similar ones like this and take a count of them and also print the message following it "COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null". For example:

100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null 2
101 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2) null 3
warren
  • 32,620
  • 21
  • 85
  • 124
Diksha
  • 1
  • 2
  • You could use the LIke function in Eval https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/ConditionalFunctions#like.28TEXT.2C_PATTERN.29 the like function would look like: like(_raw,"%Limoc Input : Exception occurred: 101%") – Daniel Price Jul 19 '22 at 16:44
  • The `rex` command neither filters nor counts. It extracts fields. Use the `regex` command to filter events based on whether they match or fail to match a regular expression. Of course, events that are filtered cannot be counted because they're no longer in the results. – RichG Jul 19 '22 at 18:29

2 Answers2

0

See if this run-anywhere search gets you going in the right direction.

| makeresults
| eval data="[6/24/22 6:45:20:277 IST] 000005d4 Output O abcd-ddd-dd.ppp1.ttttttt.net sys 2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) null
[6/24/22 6:45:20:277 IST] 000005d4 Output O abcd-ddd-dd.ppp1.ttttttt.net sys 2022-06-24T06:45:20,277 WARN [Server.BatchProcess] Limoc Input : Exception occurred: 101 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2) null"
| eval data=split(data,"
")
| mvexpand data
| eval _raw=data
| fields - data
```Everything above just sets up test data.  Omit IRL```
```Extract the exception number and text which follows```
| rex "Limoc Input : Exception occurred: (?<Exception>10[01]) (?<DisplayText>.*)"
```Count the occurrences.  Copy the text.```
| stats values(DisplayText) as DisplayText, count by Exception
```Display the results```
| table DisplayText count
RichG
  • 9,063
  • 2
  • 18
  • 29
0

Start with a base search looking for your keying text:

index=ndx sourcetype=srctp "Limoc Input : Exception occurred"

Based on your sample data, this rex will pull what you're looking for into a new field msg:

| rex field=_raw ":\s+(?<msg>\d+\s+\w+.+)"

You can then stats it into a table:

| stats count by msg
warren
  • 32,620
  • 21
  • 85
  • 124
  • Hi All , as per Daniel comment, I am able to count the errors with the code by using the below: eval error=case(_raw LIKE "%Limoc Input : Exception occurred: 100%", "100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1)", _raw LIKE "%Limoc Input : Exception occurred: 101%", "101 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2)",_raw LIKE "%", "Others") | stats count by error . This gives me result like this: 100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) 4 Others 2000 – Diksha Jul 20 '22 at 08:36
  • But I also want to display the result value of the one which gives 0. 100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(1) 4 100 COMPRESS 'success' EEEE08EE.ERROR-TEXT(2) 0 – Diksha Jul 20 '22 at 08:40
  • 1
    @Diksha - you can't "count" what isn't there. There won't be any results with a 0, you'll only see what's found :) – warren Jul 20 '22 at 14:01