https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285074#M86210 <P>Thanks! I added </P> <P>|dedup 1 host "Update Title"</P> <P>And that now looks correct. It gives me one unique entry (most recent) for each update per host that failed rather than listing the same update for each host each time it fails. Much appreciated!</P> Tue, 20 Dec 2016 13:56:00 GMT SplunkLunk 2016-12-20T13:56:00Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285069#M86205 <P>Greetings,</P> <P>I want to search my Windows boxes for a specific error in the System log. I also want to do this search every seven days. That means it will have to search millions of entries each time when I'm only looking for one error type. I thought in one of the first training sessions they provided a way create an efficient search which would weed out some entries first before performing the actual search. I hope I'm making sense. The query I want to run is:</P> <PRE><CODE>index= host=* source=WinEventLog:System | xmlkv | search EventID=20 updateTitle!="Update for System Center Endpoint Protection*" updateTitle!="Windows Malicious Software Removal Tool*" |rename _time as Time updateTitle AS "Update Title" |sort -Time |table Time, Name, "Update Title" |convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time </CODE></PRE> <P>This will provide a report of failed Windows updates which my admins are asking about. Like I mentioned, it would need to search through all System event logs and our Splunk admins have set a timeout which the query would probably hit. Any suggestions? Thanks.</P> Mon, 19 Dec 2016 21:07:22 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285069#M86205 SplunkLunk 2016-12-19T21:07:22Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285070#M86206 <P>I would try to do a few simple things.</P> <OL> <LI>Add an index pattern if you can, e.g., "index=wineventlog*"</LI> <LI>Add a sourcetype pattern if you can, e.g., sourcetype="XmlWinEventLog:System"</LI> <LI>Add the event ID to the first level of the search ("Event.System.EventID"=20), e.g., without any of the other changes it would be <CODE>index= host=* source=WinEventLog:System "Event.System.EventID"=20</CODE></LI> </OL> Mon, 19 Dec 2016 21:27:39 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285070#M86206 rjthibod 2016-12-19T21:27:39Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285071#M86207 <P>Thanks,</P> <P>Doing #3 helped significantly. I was wondering what is the correct syntax to remove duplicates by host and only keep the most recent alert. Some updates fail and then retry so I really only need to keep the latest failure.</P> Tue, 20 Dec 2016 13:35:34 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285071#M86207 SplunkLunk 2016-12-20T13:35:34Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285072#M86208 <P>You can use <CODE>dedup</CODE> or <CODE>stats</CODE> to eliminate duplicates by host. In your case, <CODE>dedup</CODE> is probably simpler. In your case, I am not real clear on what the field "Name" is supposed to be. If "Name" is a stand in for the host, then do the following</P> <PRE><CODE> index=* source=WinEventLog:System "Event.System.EventID"=20 | xmlkv | search updateTitle!="Update for System Center Endpoint Protection*" updateTitle!="Windows Malicious Software Removal Tool*" | rename _time as Time updateTitle AS "Update Title" | sort -Time | dedup 1 Name | table Time, Name, "Update Title" | convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time </CODE></PRE> <P>If "Name" is not a stand-in for the host name, then try the following</P> <PRE><CODE> index=* source=WinEventLog:System "Event.System.EventID"=20 | xmlkv | search updateTitle!="Update for System Center Endpoint Protection*" updateTitle!="Windows Malicious Software Removal Tool*" | rename _time as Time updateTitle AS "Update Title" | sort -Time | dedup 1 host | table Time, Name, "Update Title" | convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time </CODE></PRE> Tue, 20 Dec 2016 13:42:29 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285072#M86208 rjthibod 2016-12-20T13:42:29Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285073#M86209 <P>If you want to try the <CODE>stats</CODE> approach, substitute the <CODE>dedup</CODE> command with the following depending on which field is the host name you were referring to:</P> <P><CODE>| stats first(Time) as first("Update Title") as "Update Title" by Name</CODE></P> <P>or </P> <P><CODE>| stats first(Time) as first("Update Title") as "Update Title" first(Name) as Name by host</CODE></P> Tue, 20 Dec 2016 13:45:01 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285073#M86209 rjthibod 2016-12-20T13:45:01Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285074#M86210 <P>Thanks! I added </P> <P>|dedup 1 host "Update Title"</P> <P>And that now looks correct. It gives me one unique entry (most recent) for each update per host that failed rather than listing the same update for each host each time it fails. Much appreciated!</P> Tue, 20 Dec 2016 13:56:00 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-quickly-search-for-a-specific-error/m-p/285074#M86210 SplunkLunk 2016-12-20T13:56:00Z