topic Re: How can I display the seach results whcih are occured more than 3 times over last one hour in Splunk Search

How can I display the seach results whcih are occured more than 3 times over last one hour

Ravi_c — Wed, 23 Apr 2014 11:19:04 GMT

Hi,

Im having the search events like this

23 Apr 2014 02:46:32,986 - 3339321692 [FtpTaskQueue] Error in Uploading Files
23 Apr 2014 02:46:31,672 - 3339320378 [FtpTaskQueue] Error in Uploading Files
23 Apr 2014 02:31:32,242 - 3338420948 [FtpTaskQueue] Error in Uploading Files
Here "Error in Uploading Files" has occured more than 3 times, at different times

so I need to display this error count as 3 under different hosts, I have areound 12 hosts whicha re have events like this.If the count is 2 for last one hour, then I should not display the host.

Please Help.

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

MuS — Wed, 23 Apr 2014 12:05:55 GMT

Hi Ravi_c,

without any further details given, you could do something like this:

YourBaseSearchHere "Error in Uploading Files" | timechart span=1h count by host | where count>=3

cheers, MuS

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

Ravi_c — Wed, 23 Apr 2014 12:17:46 GMT

Nothing was displaying with your solution

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

MuS — Wed, 23 Apr 2014 12:52:46 GMT

Did you consider the fact that you maybe don't have any errors currently?
If you could provide the exact search you did and maybe some more information it would be easier to help ... 'nothing was displaying ...' isn't helpful either

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

Ravi_c — Wed, 23 Apr 2014 13:01:51 GMT

Hi,

|timechart span=15m count by host| where count > 2|rename _time AS Time | eval Time=strftime(Time, "%d/%m/%Y %H:%M")

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

MuS — Wed, 23 Apr 2014 13:19:21 GMT

Sorry but this search does not reflect your question, you asked for three event in one hour but your search checks for more then 2 and timechart spans 15minutes. Also is some placeholder or are you litteraly searching for this?

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

Ravi_c — Mon, 28 Sep 2020 16:27:31 GMT

Hi,

Im using

YourBaseSearchHere earliest=-60m | regex _raw="uploading reports to FTP server" | fields _raw,host | stats count(_raw) as CNT | where CNT > 3

This is returing only total count, I need the _raw and host, so how can I write the search to get the _raw,host, If search count >=3.

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

linu1988 — Thu, 24 Apr 2014 06:22:33 GMT

it's equal if you extract the name from the search or if it is there in the event itself the count wont change So @Mus 's search is the way to go.

YourBaseSearchHere earliest=-60m "uploading reports to FTP server" | stats count(_raw) as CNT | where CNT > 3

This is it!

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

Ravi_c — Thu, 24 Apr 2014 06:56:25 GMT

Its giving me the count, I dont want count to come in the rsult, I want the matching events (_raw), which are having more than the count 3.

I need to display the results if and only if the events count > 3.

Re: How can I display the seach results whcih are occured more than 3 times over last one hour

MuS — Thu, 24 Apr 2014 07:05:44 GMT

okay listen, like @Ayn said in the other post: we are not here to solve your problems, we can help you to solve them on your own! I gave you the direction, you have to walk the path on your own ... and a good starting point is here