Reporting

How to build an availability report showing results only when an error occurs on 4 servers at the same time?

nikkkc
Path Finder

Hi,

Today I am lack of knowledge... I have to build an availability report of a specific service on multiple servers. My Events look like as follows:

starttime, endtime, errorcode, servicename, servername

I would like to have a search result only when the error occurs on 4 servers at the same time.
I am confused how I can correlate the servername. My first try was

| where servername=server1 OR servername=server2.....

but this does not work... but concatenating with AND does not work neither....

Thank you guys, sorry for my foolery

0 Karma
1 Solution

woodcock
Esteemed Legend

woodcock
Esteemed Legend

You need the concurrency command ( ... | where concurrency>=4)
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Concurrency

nikkkc
Path Finder

thanks thats it! 🙂 🙂 🙂

0 Karma

asimagu
Builder

I would start trying with transaction and the number of events per transaction maybe??

0 Karma

nikkkc
Path Finder

maybe this works also, but in my case the concurrency command is the easier way... thanks anyway

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...