Splunk Merge Dynamic Fields

This query finds Exceptions and Errors using pattern match and merges the two to generate group stats: Exception OR Error host=”test” OR host=”test2” source=”file” | rex field=_raw “(?ms).*Exception(?<ETypes>.*).*” | rex field=_raw “(?ms).*Error(?<ErTypes>.*).*” | rename ETypes as ETotal| rename ErTypes as ETotal | eval EType=substr(ETotal,1,50) | stats count by EType | sort sort 0 – count

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s