Solved: How to remove a shared field between two sourcetyp...

HCadmins · ‎09-26-2016

Hi Splunkers!

I am wondering if I can create a chart that overlays two sourcetypes: one from VMware, and one from Cisco. My goal is to correlate certain ESXi errors with certain Cisco errors.

My two sourcetypes are

source=cisco:ucs:faultInst sourcetype=vmware:esxlog:vmkernel

And the keywords I want to look for are—from the Cisco side: “severe” and “error”
From the VMware side: “MCE” and “MCA”

One of the issues I am running into is that both sourcetypes have a host field, so I’d want to strip out from which sourcetype each ‘host’ field comes. (For VMware, we have 11 ESXi hosts that populate that field, and only one Cisco host.)

My end goal would be a line or area chart that shows counts over time one of the sourcetype+associated keywords overlaid with the other one.

I’m not really sure where to begin.

somesoni2 · ‎09-26-2016

This should get you started.

(source=cisco:ucs:faultInst “severe” and “error” ) OR (sourcetype=vmware:esxlog:vmkernel )
| timechart count by sourcetype

View solution in original post

mikaelbje · ‎09-26-2016

If you want to see both the host and sourcetype, try this instead:

 (source=cisco:ucs:faultInst “severe” and “error” ) OR (sourcetype=vmware:esxlog:vmkernel ) | strcat sourcetype "::" host sourcetype_and_host | timechart count by sourcetype_and_host

somesoni2 · ‎09-26-2016

This should get you started.

(source=cisco:ucs:faultInst “severe” and “error” ) OR (sourcetype=vmware:esxlog:vmkernel )
| timechart count by sourcetype

How to remove a shared field between two sourcetypes in order to create a visualization that overlays both sourcetypes?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!