Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

My goal is to find out statistics for particular error in all servers.

pwongcha
Explorer
‎07-29-2015 02:55 PM

My goal is to find out statistics for particular error in all servers.

Scenario
what host have error 'E' the most?
display in table/chart
group by time, host, sourcetype

Condition
1. Only 9am-5pm
2. Only M-F
3. Display in 3 hours bucket

Advanced Feature
1. Give me top 5 servers with the most errors
2. Include date_wday in the result

Base on the research, it looks like I cannot use timechart over 2 fields.

earliest=-90d host=cswebprd1* sourcetype=psoft* "java.lang.OutOfMemoryError" "Java heap space" NOT(date_wday="sunday") NOT(date_wday="saturday") (date_hour>= 9 AND date_hour<= 17)
| bucket _time span=6h
| stats count by _time date_wday host sourcetype
| table sourcetype count _time sourcetype date_wday host
| sort sourcetype

alt text
alt text

Tags (2)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

tedwroks
Explorer
‎10-20-2016 03:56 AM

The interpretation is that per 3 hour bucket, you want to see the host source combination that had the most errors.
This is done with the last 3 lines that add a new field, "rank", and it's used to filter the result later.

    earliest=-90d    host=cswebprd1* sourcetype=psoft*
    java.lang.OutOfMemoryError    "Java heap space"
    NOT date_wday=sunday  NOT date_wday=saturday
    date_hour>= 9 date_hour<= 17
    | bucket _time span=3h
    | eval hostsrc=host.sourcetype
    | stats count as number_of_errors by _time, date_wday, hostsrc

    | sort 0 _time, -number_of_errors
    | streamstats count as rank by _time reset_on_change=true
    | where rank <= 3
0 Karma
Reply

woodcock
Esteemed Legend
‎07-29-2015 03:41 PM

You can use a trick to timechart over 2 fields like this:

... | eval comboField = field1 . ":" . field2 | timechart count by foo over comboField
0 Karma
Reply

pwongcha
Explorer
‎07-31-2015 09:29 AM

| eval comboField= sourcetype.":".host
| timechart span=6h count by comboField

with above command, I get this chart. Too many rows with 0 count. can this be removed from the result.

Looks like I get don't get 0 count from command "| bucket _time span=6h | stats count by _time date_wday host sourcetype"

0 Karma
Reply

woodcock
Esteemed Legend
‎08-01-2015 10:00 AM

Yes, when you use timechart it creates 0-value data points but when you use stats it does not do this. You can chart the output from stats if you go to the visualization tab.

0 Karma
Reply

pwongcha
Explorer
‎07-31-2015 09:26 AM

...
| eval comboField= sourcetype.":".host
| timechart span=6h count by comboField

almost there but I still prefer chart format done in excel.

is it possible to do this in plunk?

I can't attach image this time...

0 Karma
Reply

woodcock
Esteemed Legend
‎08-01-2015 09:57 AM

I do not understand this comment; please elaborate.

0 Karma
Reply

pwongcha
Explorer
‎07-29-2015 07:35 PM

I tried, doesn't look like timechart and over can be used together

0 Karma
Reply

woodcock
Esteemed Legend
‎07-30-2015 07:01 AM

You are correct (by the way, this is because it is already doing an implied over _time); I never should have used over but the basic trick still works like this:

... | eval comboField = field1 . ":" . field2 | timechart count by comboField

Also, this may help:

http://answers.splunk.com/answers/59045/how-do-i-make-a-multi-dimension-timechart.html

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...