topic Top errors with hosts in Splunk Search

Top errors with hosts

jamesklassen — Wed, 22 Jun 2011 14:44:17 GMT

I have a search that sends me the top 10 errors on all of our servers each morning:

error OR Error OR alert OR Alert OR fail* OR Fail* source="WMI:WinEventLog*" | top limit=10 Message

But this would be much more helpful if I could, for each error, see which server(s) it has occurred on.

I assume I need to run a subsearch to figure out which server(s) the error has ocurred?

Re: Top errors with hosts

southeringtonp — Wed, 22 Jun 2011 14:52:57 GMT

Using a subsearch is overkill -- use stats instead. Something like the following should work.

error OR alert OR fail source="WMI:WinEventLog*"
| stats count values(host) by Message
| sort - count
| head 10

Re: Top errors with hosts

jamesklassen — Wed, 22 Jun 2011 16:03:09 GMT

Perfect, thank you

Re: Top errors with hosts

mfrost8 — Thu, 23 Jun 2011 19:28:55 GMT

Unless I'm mistaken, the strings you're searching for are case-insensitive. In fact, I had asked this a while back, but I don't think you can have Splunk do a case-sensitive search. So in your case, you really only need

error OR alert OR fail ...