Reporting

How to build an availability report showing results only when an error occurs on 4 servers at the same time?

nikkkc
Path Finder

Hi,

Today I am lack of knowledge... I have to build an availability report of a specific service on multiple servers. My Events look like as follows:

starttime, endtime, errorcode, servicename, servername

I would like to have a search result only when the error occurs on 4 servers at the same time.
I am confused how I can correlate the servername. My first try was

| where servername=server1 OR servername=server2.....

but this does not work... but concatenating with AND does not work neither....

Thank you guys, sorry for my foolery

0 Karma
1 Solution

woodcock
Esteemed Legend

woodcock
Esteemed Legend

You need the concurrency command ( ... | where concurrency>=4)
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Concurrency

nikkkc
Path Finder

thanks thats it! 🙂 🙂 🙂

0 Karma

asimagu
Builder

I would start trying with transaction and the number of events per transaction maybe??

0 Karma

nikkkc
Path Finder

maybe this works also, but in my case the concurrency command is the easier way... thanks anyway

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...