Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to remove a shared field between two sourcetypes in order to create a visualization that overlays both sourcetypes?

HCadmins
Communicator
‎09-26-2016 10:15 AM

Hi Splunkers!

I am wondering if I can create a chart that overlays two sourcetypes: one from VMware, and one from Cisco. My goal is to correlate certain ESXi errors with certain Cisco errors.

My two sourcetypes are

source=cisco:ucs:faultInst sourcetype=vmware:esxlog:vmkernel

And the keywords I want to look for are—from the Cisco side: “severe” and “error”
From the VMware side: “MCE” and “MCA”

One of the issues I am running into is that both sourcetypes have a host field, so I’d want to strip out from which sourcetype each ‘host’ field comes. (For VMware, we have 11 ESXi hosts that populate that field, and only one Cisco host.)

My end goal would be a line or area chart that shows counts over time one of the sourcetype+associated keywords overlaid with the other one.

I’m not really sure where to begin.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 12:45 PM

This should get you started.

(source=cisco:ucs:faultInst “severe” and “error” ) OR (sourcetype=vmware:esxlog:vmkernel )
| timechart count by sourcetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎09-26-2016 11:31 PM

If you want to see both the host and sourcetype, try this instead:

 (source=cisco:ucs:faultInst “severe” and “error” ) OR (sourcetype=vmware:esxlog:vmkernel ) | strcat sourcetype "::" host sourcetype_and_host | timechart count by sourcetype_and_host
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-26-2016 12:45 PM

This should get you started.

(source=cisco:ucs:faultInst “severe” and “error” ) OR (sourcetype=vmware:esxlog:vmkernel )
| timechart count by sourcetype
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...