Solved: How to build an availability report showing result...

nikkkc · ‎02-29-2016

Hi,

Today I am lack of knowledge... I have to build an availability report of a specific service on multiple servers. My Events look like as follows:

starttime, endtime, errorcode, servicename, servername

I would like to have a search result only when the error occurs on 4 servers at the same time.
I am confused how I can correlate the servername. My first try was

| where servername=server1 OR servername=server2.....

but this does not work... but concatenating with AND does not work neither....

Thank you guys, sorry for my foolery

woodcock · ‎02-29-2016

You need the concurrency command ( ... | where concurrency>=4)
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Concurrency

View solution in original post

woodcock · ‎02-29-2016

You need the concurrency command ( ... | where concurrency>=4)
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Concurrency

nikkkc · ‎03-01-2016

thanks thats it! 🙂 🙂 🙂

asimagu · ‎02-29-2016

I would start trying with transaction and the number of events per transaction maybe??

nikkkc · ‎03-01-2016

maybe this works also, but in my case the concurrency command is the easier way... thanks anyway

How to build an availability report showing results only when an error occurs on 4 servers at the same time?

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!