Dashboards & Visualizations

Dashboard (Errors last 24h)

fischera
Explorer

Good day

I have a Question

I want to create a dashboard for the Company XY.
If I create a new panel (errors in the last 24 hours) I see all the servers.
But I just want to see the servers of the Company XY.
What I need (search string) change?
I just want to see server1, server2 and server3 of Company XY.

http://s14.directupload.net/file/d/2940/x7m6jbm9_png.htm

thank you
best regards

Tags (1)
0 Karma
1 Solution

fischera
Explorer

by filter i type host="server1"

can I edit this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
to
error OR failed OR severe OR ( host="server1" )

If so how can I add more servers?
With | ?
Example host="server1" | "server2" | "server3"?
or addinfo?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

Excuse me, this is my first Splunk server 😉

View solution in original post

0 Karma

fischera
Explorer

We have a Splunkserver M in the Workgroup.
We have a Company X with SplunkserverX and domain x.local
We have a Company Y with SplunkserverY and domain y.local
We have a Company Z with SplunkserverZ and domain z.local

Server X,Y and Z send all Informations to Splunkserver M.
Splunkserver M listens on port 9997

All servers have two network cards.

0 Karma

fischera
Explorer

ok thank you very much for your help
i test it but it does not work

Step 1:
http://s14.directupload.net/file/d/2940/i7bnv76z_png.htm

Step 2:
http://s7.directupload.net/file/d/2940/6t8b2nem_png.htm

Step3:
http://s14.directupload.net/file/d/2940/t872lelc_png.htm

But the idea is good, because we have more than 20 servers.

have you found an error by the pictures?

0 Karma

fischera
Explorer

Host = Splunkserver = Server1 in Pictures

0 Karma

srioux
Communicator

There would be a few ways to handle this, depending on your approach and the data available.

If you have a very limited list (i.e. Server 1 to Server 3), then you may be better off just using the list of host/hostnames as part of your search (another set of (value OR value OR value) ).

Alternatively, if these systems are all part of the same subnet, you can use Splunk's cidrmatch function:

error | where cidrmatch("10.0.123.0/24",host)

More documentation on cidrmatch can be found in eval functions.

If these don't work, may have to look at more of the data to evaluate other possibilities - are there commonalities in host naming that show up in the data that you could use?

0 Karma

fischera
Explorer

by filter i type host="server1"

can I edit this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
to
error OR failed OR severe OR ( host="server1" )

If so how can I add more servers?
With | ?
Example host="server1" | "server2" | "server3"?
or addinfo?
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

Excuse me, this is my first Splunk server 😉

0 Karma

fischera
Explorer

very nice, it works^^
http://s7.directupload.net/file/d/2940/y32r9quo_png.htm

If I can find no alternative, I'll add 20 servers manually. Thank you very much

0 Karma

srioux
Communicator

Try the following:

error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503)) (host="server1" OR host="server2" OR host="server3")

Ayn
Legend

Well how do you normally filter events so that you only get events from company XY?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...