Dashboards & Visualizations

How to correlate hosts from event logs to group certain servers in one dashboard or report?

anupjishnu
Path Finder

I have multiple servers for which I am monitoring event logs via Splunk. The servers are owned by different teams. There is no information about team in the event log messages. I want to group the servers via team names in "one" graph (dashboard or report). The mapping between team and servers is internal.

e.g:
Team A = Server1, Server 3, Server 5
Team B = Server2, Server6
Team C = Server4, Server7, Server8

Event logs have Host field holding server name (e.g: Server3). But no information about team is stored in the event log.

I want one panel which will show errors in last 24 hours by team.
X-Axis: Timespan count by hour
Y-Axis: Number of errors
3 columns per hour - one for each team

Query for errors by host:
(Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

Since field for team does not exist, I cannot use avg.
I tried to use subsearch with but it was giving fewer results than what I could get from the above query which tells me it is not correct.
How do I query the report?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

anupjishnu
Path Finder

I think this is exactly what I am looking for. I will work on it and keep this thread updated.
Update: This is it 🙂

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...