"not in" stacktrace

Comments

2 comments

  • Avatar
    Graham Watts

    Hi Hirak,

    You can do this using the below steps:

    1. Parse out the stack trace using parse anchor or parse regex, depending on how the info you need to parse appears in the log (if it's a json log, you can use parse json)

    2. Filter out errors using: 

    where !(exception matches "*some_string*")
    • If you need to filter out a list of strings, you can use multiple statements:
      | where !((exception matches "*some_string*") or
      (exception matches "*some_string2*") or
      (exception matches "*some_string3*") ...

    3. You can also use a Lookup file to save this list of exclusions if its long or you don't want to list it in the query

    In terms of performance, where statements are slower than adding key words at the start of the query to select for strings (whitelist) so if possible that will allow for a faster query:

       _sourceCategory=prod/app (string1 or string2 or string3...) // only return results with these strings in the log
       | <parser here>
       | count by <exception_field_name>  

    1
    Comment actions Permalink
  • Avatar
    Hirak Chatterjee

    Thanks Graham.

    So my usecase is to find all exceptions "but" the known ones. So couldnt add the list in the select.

    I have already tested the where clause syntax you gave above, it's working perfectly for me. Performance is not a concern, because this is for a dashboard.

    I will try the lookup file option today.

    Thanks for your help

     

    0
    Comment actions Permalink

Please sign in to leave a comment.