Dashboards & Visualizations

how can create a search and add to dashboard for my top 5 servers application and system logs

New Member

I am new to Splunk and I want to get a search with top 5 hosts showing application/system logs and add this to a dashboard for realtime for last 30 mins. also i want to create a new dashboard with top 5 hosts errors and warnings in application and system logs changes in realtime 30 mins. can someone point me in the right direction for the search details to get this to display please.

0 Karma
1 Solution

Esteemed Legend

Try this, but DO NOT use a real-time search; it will crater the performance and scalability of your Search Head:

eventtype="wineventlog_application" source="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="*" Type="*" *
| top limit=10 host BY Type

View solution in original post

0 Karma

Esteemed Legend

Try this, but DO NOT use a real-time search; it will crater the performance and scalability of your Search Head:

eventtype="wineventlog_application" source="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="*" Type="*" *
| top limit=10 host BY Type

View solution in original post

0 Karma

New Member

thanks for this I have amended your seach to

(eventtype="wineventlog_application" OR eventtype="wineventlog_system") source="*inEventLog:*" (host="*" OR ComputerName="*") TaskCategory="*"  SourceName="*" EventCode="*" (Type="Error" OR Type"Warning) * | sort -count | top limit=10 host

so this will do a 15 min refresh and this searches application and system event logs on windows servers and does errors and warnings.
i hope this is what i need.

thanks

0 Karma

Esteemed Legend

It probably is, so be sure to UpVote. Also, come back after you test to let us know if it isn't, and to click Accept to close your question if it is.

0 Karma

Legend

Hi pboon,
at first I suggest to follow the Splunk search tutorial https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchTutorial/WelcometotheSearchTutorial
Anyway, at first, what's the logic for top 5 servers: importance, quantity of logs, errors count?
Is there an error_field or do you have a list of error messages?

Anyway, I speculate that you have a field containing errors so you could create a dashboard with more panels, one for each search:
top 5 hosts showing application/system logs

index=my_index
| top 5 host

top 5 hosts errors and warnings in application and system logs
if you have an error_field you can use

index=my_index error_field="*"
| top 5 host

if you haven't an error field but only many error messages, you should create a lookup (Pattern.csv) containing one field (pattern) and then run a search like this:

index=my_index [ | inputlookup pattern.csv | rename pattern AS query | fields query]
| top 5 host

You can choose the correct time frame for each search or configure a time token in your dashboard.

Bye.
Giuseppe

0 Karma

New Member

I have read through the tutorials before but i am looking for something like
eventtype="wineventlog_application" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | sort -count | top limit=10 host

would this be what im looking for or something like
eventtype="wineventlog_common" source="inEventLog:Application" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="Error" * | top limit=10 host

0 Karma

Legend

Hi pboon,
when you insert a search in your message, please use the Code Sample button (the one with 101010) so we can see all the search.
anyway, you can semplificate your search

eventtype="wineventlog:Application" OR eventtype="wineventlog:System" Type="Error" * 
| top limit=10 host

but are you sure that you defined the eventtypes you mentioned?
Usually they are created in an App called Splunk_TA_Windows.
So, run a simple search

index=win* 
| head 1000

and see if there are eventtypes and fields you use in your search, if there are OK, otherwise you have to install the Splunk_TA_Windows or manually create them.

Bye.
Giuseppe

0 Karma

New Member

HI,
We have an app called Splunk App for Windows Infrastructure which is all defined. when we choose Windows and then event monitoring from the Apps bar we get options for type, source name, event code etc. when we open the hosts event monitoring in a search we get the search as eventtype="wineventlog_common" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="*" Type="Error" * | stats sparkline as "Trend", count by host | sort -count

but this doesn't supply what i actually want. I want to get the top 5 servers giving the most errors and warnings from their event logs application and system within the last say 30 mins or realtime with the rate of change happening. but im puzzled as to how i get to this. i have run the
index=win*
| head 1000 which displays all my event log info form my servers.

0 Karma

New Member

i have looked at your answer and this is not what i want i have sent the searches i thought would be what i want have you checked these?

0 Karma

SplunkTrust
SplunkTrust

What searches have you tried so far?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

eventtype="wineventlog_common" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | top limit=10 host

eventtype="wineventlog_common" source="inEventLog:System" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="Warning" * | stats sparkline as "Trend", count by host | sort -count top limit=10 host

eventtype="wineventlog_system" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | top limit=10 host

eventtype="wineventlog_application" source="inEventLog:" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="" * | top limit=10 host

These display the relevant event logs but i wanted to add the error and warning into a single search and have this displayed on a dashboard.

i saw this
eventtype="wineventlog_common" source="inEventLog:Application" (host="" OR ComputerName="") TaskCategory="" SourceName="" EventCode="" Type="Error" * | stats sparkline as "Trend", count by host | sort -count

but cannot limit to top 10 hosts or add the AND to the type.

any help would be appreciated

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!