https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63154#M13958 <P>Can you provide a sample of your logs ?</P> Wed, 30 May 2012 03:45:39 GMT Damien_Dallimor 2012-05-30T03:45:39Z https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63153#M13957 <P>Hello,<BR /> I am new to splunk and would like some help in displaying the top devices on my network that produces the most error. Can someone assist??</P> Wed, 30 May 2012 03:40:13 GMT https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63153#M13957 Starky 2012-05-30T03:40:13Z https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63154#M13958 <P>Can you provide a sample of your logs ?</P> Wed, 30 May 2012 03:45:39 GMT https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63154#M13958 Damien_Dallimor 2012-05-30T03:45:39Z https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63155#M13959 <P>I want to see the cisco devices that has the most input/output errors over a 7 days period. The below is for one of my devices.</P> <P>Total Counters since 01/17/13 04:30 PM EST<BR /> 286663 input errors, 0 output errors<BR /> 0 input discards, 0 output discards<BR /> 11570 interface resets, 69 carrier transitions</P> Wed, 30 May 2012 12:49:24 GMT https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63155#M13959 Starky 2012-05-30T12:49:24Z https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63156#M13960 <P>Your best bet would be to find your error events, and then create eventtypes for them. You would then be able to search for the eventtype, and get a count of the hosts. For example:</P> <P>index=firewall eventtype=fw_input_errors | stats count by host</P> <P>For the time period you can use the time picker, or add it to the search:</P> <P>earliest=-7d latest=now index=firewall eventtype=fw_input_errors | stats count by host</P> <P>More on eventtypes:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Defineeventtypes">http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Defineeventtypes</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/eventtypesconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/eventtypesconf</A></P> <P>HTH,</P> <P>Dave</P> Wed, 30 May 2012 13:06:40 GMT https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63156#M13960 dshpritz 2012-05-30T13:06:40Z https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63157#M13961 <P>Thanks Dave.. But maybe becuase i am such a newb.. i am still lost.. I have about 100 cisco switches and routers across MPLS.. But i want to see the to 10 devices give the most errors over a 7 days period. I have a deadline i am trying to meet for Tuesday and i am really stuck.<BR /> Thank you in advance.</P> Thu, 31 May 2012 20:40:23 GMT https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63157#M13961 Starky 2012-05-31T20:40:23Z https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63158#M13962 <P>Are you able to find the error events that you want to count in your data?</P> Thu, 31 May 2012 21:28:32 GMT https://community.splunk.com/t5/Security/Devices-with-the-most-error/m-p/63158#M13962 dshpritz 2012-05-31T21:28:32Z