topic Re: How to find the top 10 error codes by each host and display the count in a table? in Splunk Search

How to find the top 10 error codes by each host and display the count in a table?

SathyaNarayanan — Mon, 07 Nov 2016 10:40:07 GMT

Hi,

I have list of servers, I need to find top Event Codes errors for each host, as each host as different Event codes. How to list them in a single table and show the number of Event codes count?

Eg; The table should be like below

Host 
acdc   5678    1842   7415
adfdf  3485    7684   1582

Re: How to find the top 10 error codes by each host and display the count in a table?

javiergn — Mon, 07 Nov 2016 11:08:26 GMT

See if the following works for you:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode, list(count) as count by host

Thanks,
J

Re: How to find the top 10 error codes by each host and display the count in a table?

niketn — Mon, 07 Nov 2016 14:43:30 GMT

I have edited my answer as per you last example to display top 10 host names and EventCode. Try the following:

your base search | eval myField= host + " - " + EventCode| top 10 myField showperc=f

-----Editing answer again--- Following will give top 10 EventCode counts over all hosts:. Please try and confirm(eventstats will add ECCount field to all existing event which can be used in stats sum command later):

your base search here | eventstats count as ECCount by EventCode | chart limit=10 userother=f sum(ECCount) over host by EventCode

Re: How to find the top 10 error codes by each host and display the count in a table?

SathyaNarayanan — Wed, 09 Nov 2016 10:00:38 GMT

When i execute the above command, am getting the results as below

host 3688 10016 7001 5722 ......................................
asdfd 0 0 1 0
kjhl 0 1 0 0
mk; 1 0 0 0

It goes on like this

Re: How to find the top 10 error codes by each host and display the count in a table?

javiergn — Wed, 09 Nov 2016 10:23:13 GMT

Sorry but your example doesn't really help as I don't know what the numbers mean. Are they counts? are they event codes?

Something like this would help:

HOSTA EventCode1 Count1
HOSTA EventCode2 Count2
....

Re: How to find the top 10 error codes by each host and display the count in a table?

SathyaNarayanan — Wed, 09 Nov 2016 10:35:03 GMT

Need to show top errors for each host with event code count

Re: How to find the top 10 error codes by each host and display the count in a table?

niketn — Wed, 09 Nov 2016 12:29:09 GMT

Above query should return result in the following format:

HOSTA - EventCode1 Count1
HOSTA - EventCode2 Count2
....

Re: How to find the top 10 error codes by each host and display the count in a table?

SathyaNarayanan — Thu, 10 Nov 2016 09:21:30 GMT

Thanks for your response, but with the above query its showing only 10 servers, with the event code & count.

i need the list of all server with the 10 errors as the column in it.

Host A EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host B EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host C EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host D EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host E EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host F EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host G EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode

Re: How to find the top 10 error codes by each host and display the count in a table?

niketn — Thu, 10 Nov 2016 10:23:16 GMT

I have added a second search query as per your example above. Can you check and confirm whether it works for you or not?

Re: How to find the top 10 error codes by each host and display the count in a table?

SathyaNarayanan — Thu, 10 Nov 2016 10:53:37 GMT

i tried with your new query, that is also not helping it.

Thanks for your time

Re: How to find the top 10 error codes by each host and display the count in a table?

niketn — Thu, 10 Nov 2016 11:08:55 GMT

Do you mean the output is not what you expect or does the query has any issue? Can you share the output?

Re: How to find the top 10 error codes by each host and display the count in a table?

javiergn — Thu, 10 Nov 2016 14:56:43 GMT

Based on your answers below I'm guessing this is what you are looking for:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode by host
| eval EventCode = mvjoin(EventCode, " ")

This would give you a similar output to the one you listed below:

Re: How to find the top 10 error codes by each host and display the count in a table?

Rocket66 — Thu, 10 Nov 2016 15:50:48 GMT

Why not :

... base_search ... | top EventCode by host

Quite simple ... or I missed something ... ?