Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate hosts from event logs to group certain servers in one dashboard or report?

anupjishnu
Path Finder
‎10-06-2014 12:23 PM

I have multiple servers for which I am monitoring event logs via Splunk. The servers are owned by different teams. There is no information about team in the event log messages. I want to group the servers via team names in "one" graph (dashboard or report). The mapping between team and servers is internal.

e.g:
Team A = Server1, Server 3, Server 5
Team B = Server2, Server6
Team C = Server4, Server7, Server8

Event logs have Host field holding server name (e.g: Server3). But no information about team is stored in the event log.

I want one panel which will show errors in last 24 hours by team.
X-Axis: Timespan count by hour
Y-Axis: Number of errors
3 columns per hour - one for each team

Query for errors by host:
(Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

Since field for team does not exist, I cannot use avg.
I tried to use subsearch with but it was giving fewer results than what I could get from the above query which tells me it is not correct.
How do I query the report?

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-06-2014 01:03 PM

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this 

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-06-2014 01:03 PM

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this 

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

anupjishnu
Path Finder
‎10-06-2014 01:46 PM

I think this is exactly what I am looking for. I will work on it and keep this thread updated.
Update: This is it 🙂

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...