Splunk 查询 - 从带有计数的日志中搜索唯一异常
Splunk Query - Search unique exception from logs with counts
我想搜索异常及其出现。我希望看到以下格式的结果
|Exception Name |Count|
|NullPointerException| 2 |
|ConnectException | 6 |
|MailConnectException| 10 |
日志看起来像这样 -
- Caused by: java.lang.NullPointerException: null
- Caused by: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: localhost, 25; timeout -1
- Caused by: java.net.ConnectException: Connection refused (Connection refused)
写在下面搜索查询-
index="*zp0853-a*" container_name="test-api" "*Caused by*" (Showing all Exceptions list)
index="*zp0853-a*" container_name="test-api" "*Caused by*" | stats count (Showing only total counts)
您应该使用正确的分隔符拆分“_raw”并移动到使用 mvindex
的拆分中
eval exception=mvindex(split(_raw,":"),1)|stats count by exception
要获取每个异常的计数,您需要提取异常名称。我喜欢为此使用 rex。
index="*zp0853-a*" container_name="test-api" "*Caused by*"
| rex "by: (?<exception>[^:]+)"
| stats count by exception
我想搜索异常及其出现。我希望看到以下格式的结果
|Exception Name |Count|
|NullPointerException| 2 |
|ConnectException | 6 |
|MailConnectException| 10 |
日志看起来像这样 -
- Caused by: java.lang.NullPointerException: null
- Caused by: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: localhost, 25; timeout -1
- Caused by: java.net.ConnectException: Connection refused (Connection refused)
写在下面搜索查询-
index="*zp0853-a*" container_name="test-api" "*Caused by*" (Showing all Exceptions list)
index="*zp0853-a*" container_name="test-api" "*Caused by*" | stats count (Showing only total counts)
您应该使用正确的分隔符拆分“_raw”并移动到使用 mvindex
的拆分中eval exception=mvindex(split(_raw,":"),1)|stats count by exception
要获取每个异常的计数,您需要提取异常名称。我喜欢为此使用 rex。
index="*zp0853-a*" container_name="test-api" "*Caused by*"
| rex "by: (?<exception>[^:]+)"
| stats count by exception