I am new to Splunk and I want to get a search with top 5 hosts showing application/system logs and add this to a dashboard for realtime for last 30 mins. also i want to create a new dashboard with top 5 hosts errors and warnings in application and system logs changes in realtime 30 mins. can someone point me in the right direction for the search details to get this to display please.
Try this, but DO NOT use a real-time
search; it will crater the performance and scalability of your Search Head:
eventtype="wineventlog_application" source="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="*" Type="*" *
| top limit=10 host BY Type
Try this, but DO NOT use a real-time
search; it will crater the performance and scalability of your Search Head:
eventtype="wineventlog_application" source="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="*" Type="*" *
| top limit=10 host BY Type
thanks for this I have amended your seach to
(eventtype="wineventlog_application" OR eventtype="wineventlog_system") source="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*" SourceName="*" EventCode="*" (Type="Error" OR Type"Warning) * | sort -count | top limit=10 host
so this will do a 15 min refresh and this searches application and system event logs on windows servers and does errors and warnings.
i hope this is what i need.
thanks
It probably is, so be sure to UpVote
. Also, come back after you test to let us know if it isn't, and to click Accept
to close your question if it is.
Hi pboon,
at first I suggest to follow the Splunk search tutorial https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchTutorial/WelcometotheSearchTutorial
Anyway, at first, what's the logic for top 5 servers: importance, quantity of logs, errors count?
Is there an error_field or do you have a list of error messages?
Anyway, I speculate that you have a field containing errors so you could create a dashboard with more panels, one for each search:
top 5 hosts showing application/system logs
index=my_index
| top 5 host
top 5 hosts errors and warnings in application and system logs
if you have an error_field you can use
index=my_index error_field="*"
| top 5 host
if you haven't an error field but only many error messages, you should create a lookup (Pattern.csv) containing one field (pattern) and then run a search like this:
index=my_index [ | inputlookup pattern.csv | rename pattern AS query | fields query]
| top 5 host
You can choose the correct time frame for each search or configure a time token in your dashboard.
Bye.
Giuseppe
I have read through the tutorials before but i am looking for something like
eventtype="wineventlog_application" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | sort -count | top limit=10 host
would this be what im looking for or something like
eventtype="wineventlog_common" source="inEventLog:Application" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="Error" * | top limit=10 host
Hi pboon,
when you insert a search in your message, please use the Code Sample button (the one with 101010) so we can see all the search.
anyway, you can semplificate your search
eventtype="wineventlog:Application" OR eventtype="wineventlog:System" Type="Error" *
| top limit=10 host
but are you sure that you defined the eventtypes you mentioned?
Usually they are created in an App called Splunk_TA_Windows.
So, run a simple search
index=win*
| head 1000
and see if there are eventtypes and fields you use in your search, if there are OK, otherwise you have to install the Splunk_TA_Windows or manually create them.
Bye.
Giuseppe
HI,
We have an app called Splunk App for Windows Infrastructure which is all defined. when we choose Windows and then event monitoring from the Apps bar we get options for type, source name, event code etc. when we open the hosts event monitoring in a search we get the search as eventtype="wineventlog_common" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="*" Type="Error" * | stats sparkline as "Trend", count by host | sort -count
but this doesn't supply what i actually want. I want to get the top 5 servers giving the most errors and warnings from their event logs application and system within the last say 30 mins or realtime with the rate of change happening. but im puzzled as to how i get to this. i have run the
index=win*
| head 1000 which displays all my event log info form my servers.
i have looked at your answer and this is not what i want i have sent the searches i thought would be what i want have you checked these?
What searches have you tried so far?
eventtype="wineventlog_common" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | top limit=10 host
eventtype="wineventlog_common" source="inEventLog:System" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="Warning" * | stats sparkline as "Trend", count by host | sort -count top limit=10 host
eventtype="wineventlog_system" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | top limit=10 host
eventtype="wineventlog_application" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | top limit=10 host
These display the relevant event logs but i wanted to add the error and warning into a single search and have this displayed on a dashboard.
i saw this
eventtype="wineventlog_common" source="inEventLog:Application" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="Error" * | stats sparkline as "Trend", count by host | sort -count
but cannot limit to top 10 hosts or add the AND to the type.
any help would be appreciated