Solved: How to build an availability report showing result...

nikkkc · ‎02-29-2016

Hi,

Today I am lack of knowledge... I have to build an availability report of a specific service on multiple servers. My Events look like as follows:

starttime, endtime, errorcode, servicename, servername

I would like to have a search result only when the error occurs on 4 servers at the same time.
I am confused how I can correlate the servername. My first try was

| where servername=server1 OR servername=server2.....

but this does not work... but concatenating with AND does not work neither....

Thank you guys, sorry for my foolery

woodcock · ‎02-29-2016

You need the concurrency command ( ... | where concurrency>=4)
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Concurrency

View solution in original post

woodcock · ‎02-29-2016

You need the concurrency command ( ... | where concurrency>=4)
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Concurrency

nikkkc · ‎03-01-2016

thanks thats it! 🙂 🙂 🙂

asimagu · ‎02-29-2016

I would start trying with transaction and the number of events per transaction maybe??

nikkkc · ‎03-01-2016

maybe this works also, but in my case the concurrency command is the easier way... thanks anyway

How to build an availability report showing results only when an error occurs on 4 servers at the same time?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!