Solved: Re: Dashboard (Errors last 24h)

fischera · ‎07-03-2012

Good day

I have a Question

I want to create a dashboard for the Company XY.
If I create a new panel (errors in the last 24 hours) I see all the servers.
But I just want to see the servers of the Company XY.
What I need (search string) change?
I just want to see server1, server2 and server3 of Company XY.

http://s14.directupload.net/file/d/2940/x7m6jbm9_png.htm

thank you
best regards

fischera · ‎07-03-2012

by filter i type host="server1"

can I edit this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
to
error OR failed OR severe OR ( host="server1" )

If so how can I add more servers?
With | ?
Example host="server1" | "server2" | "server3"?
or addinfo?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

Excuse me, this is my first Splunk server 😉

View solution in original post

fischera · ‎07-03-2012

We have a Splunkserver M in the Workgroup.
We have a Company X with SplunkserverX and domain x.local
We have a Company Y with SplunkserverY and domain y.local
We have a Company Z with SplunkserverZ and domain z.local

Server X,Y and Z send all Informations to Splunkserver M.
Splunkserver M listens on port 9997

All servers have two network cards.

fischera · ‎07-03-2012

ok thank you very much for your help
i test it but it does not work

Step 1:
http://s14.directupload.net/file/d/2940/i7bnv76z_png.htm

Step 2:
http://s7.directupload.net/file/d/2940/6t8b2nem_png.htm

Step3:
http://s14.directupload.net/file/d/2940/t872lelc_png.htm

But the idea is good, because we have more than 20 servers.

have you found an error by the pictures?

fischera · ‎07-03-2012

Host = Splunkserver = Server1 in Pictures

srioux · ‎07-03-2012

There would be a few ways to handle this, depending on your approach and the data available.

If you have a very limited list (i.e. Server 1 to Server 3), then you may be better off just using the list of host/hostnames as part of your search (another set of (value OR value OR value) ).

Alternatively, if these systems are all part of the same subnet, you can use Splunk's cidrmatch function:

error | where cidrmatch("10.0.123.0/24",host)

More documentation on cidrmatch can be found in eval functions.

If these don't work, may have to look at more of the data to evaluate other possibilities - are there commonalities in host naming that show up in the data that you could use?

fischera · ‎07-03-2012

by filter i type host="server1"

can I edit this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
to
error OR failed OR severe OR ( host="server1" )

If so how can I add more servers?
With | ?
Example host="server1" | "server2" | "server3"?
or addinfo?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

Excuse me, this is my first Splunk server 😉

fischera · ‎07-03-2012

very nice, it works^^
http://s7.directupload.net/file/d/2940/y32r9quo_png.htm

If I can find no alternative, I'll add 20 servers manually. Thank you very much

srioux · ‎07-03-2012

Try the following:

error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503)) (host="server1" OR host="server2" OR host="server3")

Ayn · ‎07-03-2012

Well how do you normally filter events so that you only get events from company XY?

Dashboard (Errors last 24h)

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services