kjivan/splunk-queries.md

Last active December 17, 2021 16:38

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/kjivan/2e53a7833aa5b07bf0e6e45008ec02ba.js"></script>
Save kjivan/2e53a7833aa5b07bf0e6e45008ec02ba to your computer and use it in GitHub Desktop.

Download ZIP

Splunk Queries

Raw

splunk-queries.md

Splunk Queries

Getting Errors

index=<index>
AND CASE("ERROR")

Java Exceptions & Stack Traces

index=<index>
| transaction startswith="CASE("ERROR")" maxevents=250 mvlist=true 
| table message

Get Errors group by Count

index=<index>
AND (error OR exception)
| table message 
| eval message=replace(message,"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d*\s","")
| stats count by message
| sort -count