Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate hosts from event logs to group certain servers in one dashboard or report?

anupjishnu
Path Finder
‎10-06-2014 12:23 PM

I have multiple servers for which I am monitoring event logs via Splunk. The servers are owned by different teams. There is no information about team in the event log messages. I want to group the servers via team names in "one" graph (dashboard or report). The mapping between team and servers is internal.

e.g:
Team A = Server1, Server 3, Server 5
Team B = Server2, Server6
Team C = Server4, Server7, Server8

Event logs have Host field holding server name (e.g: Server3). But no information about team is stored in the event log.

I want one panel which will show errors in last 24 hours by team.
X-Axis: Timespan count by hour
Y-Axis: Number of errors
3 columns per hour - one for each team

Query for errors by host:
(Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

Since field for team does not exist, I cannot use avg.
I tried to use subsearch with but it was giving fewer results than what I could get from the above query which tells me it is not correct.
How do I query the report?

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-06-2014 01:03 PM

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this 

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-06-2014 01:03 PM

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this 

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

anupjishnu
Path Finder
‎10-06-2014 01:46 PM

I think this is exactly what I am looking for. I will work on it and keep this thread updated.
Update: This is it 🙂

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...