Dashboards & Visualizations

Dashboard (Errors last 24h)

Explorer

Good day

I have a Question

I want to create a dashboard for the Company XY.
If I create a new panel (errors in the last 24 hours) I see all the servers.
But I just want to see the servers of the Company XY.
What I need (search string) change?
I just want to see server1, server2 and server3 of Company XY.

http://s14.directupload.net/file/d/2940/x7m6jbm9_png.htm

thank you
best regards

Tags (1)
0 Karma
1 Solution

Explorer

by filter i type host="server1"

can I edit this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
to
error OR failed OR severe OR ( host="server1" )

If so how can I add more servers?
With | ?
Example host="server1" | "server2" | "server3"?
or addinfo?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

Excuse me, this is my first Splunk server 😉

View solution in original post

0 Karma

Explorer

We have a Splunkserver M in the Workgroup.
We have a Company X with SplunkserverX and domain x.local
We have a Company Y with SplunkserverY and domain y.local
We have a Company Z with SplunkserverZ and domain z.local

Server X,Y and Z send all Informations to Splunkserver M.
Splunkserver M listens on port 9997

All servers have two network cards.

0 Karma

Explorer

ok thank you very much for your help
i test it but it does not work

Step 1:
http://s14.directupload.net/file/d/2940/i7bnv76z_png.htm

Step 2:
http://s7.directupload.net/file/d/2940/6t8b2nem_png.htm

Step3:
http://s14.directupload.net/file/d/2940/t872lelc_png.htm

But the idea is good, because we have more than 20 servers.

have you found an error by the pictures?

0 Karma

Explorer

Host = Splunkserver = Server1 in Pictures

0 Karma

Communicator

There would be a few ways to handle this, depending on your approach and the data available.

If you have a very limited list (i.e. Server 1 to Server 3), then you may be better off just using the list of host/hostnames as part of your search (another set of (value OR value OR value) ).

Alternatively, if these systems are all part of the same subnet, you can use Splunk's cidrmatch function:

error | where cidrmatch("10.0.123.0/24",host)

More documentation on cidrmatch can be found in eval functions.

If these don't work, may have to look at more of the data to evaluate other possibilities - are there commonalities in host naming that show up in the data that you could use?

0 Karma

Explorer

by filter i type host="server1"

can I edit this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
to
error OR failed OR severe OR ( host="server1" )

If so how can I add more servers?
With | ?
Example host="server1" | "server2" | "server3"?
or addinfo?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

Excuse me, this is my first Splunk server 😉

View solution in original post

0 Karma

Explorer

very nice, it works^^
http://s7.directupload.net/file/d/2940/y32r9quo_png.htm

If I can find no alternative, I'll add 20 servers manually. Thank you very much

0 Karma

Communicator

Try the following:

error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503)) (host="server1" OR host="server2" OR host="server3")

Legend

Well how do you normally filter events so that you only get events from company XY?

0 Karma