"not in" stacktrace
Hi,
We want to create a search to extract all exceptions (java stacktrace).
But then filter out some known recurring errors, by looking up a manually controlled static list.
Could someone please help with some implementation ideas?
-
Hi Hirak,
You can do this using the below steps:1. Parse out the stack trace using parse anchor or parse regex, depending on how the info you need to parse appears in the log (if it's a json log, you can use parse json)
2. Filter out errors using:where !(exception matches "*some_string*")
- If you need to filter out a list of strings, you can use multiple statements:
| where !((exception matches "*some_string*") or
(exception matches "*some_string2*") or
(exception matches "*some_string3*") ...
3. You can also use a Lookup file to save this list of exclusions if its long or you don't want to list it in the query
In terms of performance, where statements are slower than adding key words at the start of the query to select for strings (whitelist) so if possible that will allow for a faster query:
_sourceCategory=prod/app (string1 or string2 or string3...) // only return results with these strings in the log
| <parser here>
| count by <exception_field_name> - If you need to filter out a list of strings, you can use multiple statements:
-
Thanks Graham.
So my usecase is to find all exceptions "but" the known ones. So couldnt add the list in the select.
I have already tested the where clause syntax you gave above, it's working perfectly for me. Performance is not a concern, because this is for a dashboard.
I will try the lookup file option today.
Thanks for your help
Please sign in to leave a comment.
Comments
2 comments