Reporting

Report and a dashboard

viji261992
Explorer

Our splunk is receiving events from network devices, which contains hostname, eventuei="error reason", eventtime.
1. I need to create a report which display the hostname, corresponding error reason , eventtime and no. of alerts generated
2. I need to create a dashboard with device name in the x-axis no. of alerts in the y-axis
3. A complete dashboard which shows total no. of hosts in my company, no. of hosts working fine, no. of hosts are down based on error reason

Tags (1)
0 Karma

soumyasaha25
Contributor
  1. index=opennms sourcetype=event | stats values(eval(strftime(_time,"%Y-%m-%dT%H:%M:%S"))) as time_new list(nodeid) as hostname count by eventuei Note: The assumption here is that you have the hostnames in the field "nodeid"
  2. index=opennms sourcetype=event | stats values(nodeid) as hostname count by eventuei | fields - eventuei after running this search go to the visualization tab and select chart type as "clolumn chart" and then save it as a dashboard
  3. index=opennms sourcetype=event | timechart span=1h distinct_count(nodeid) as hostcount - for "total no. of hosts in my company" save it as a dashboard panel

i will look into it again when i have some more time, meanwhile can you check if the above searches work/meet your requirements.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@viji261992

Can you please share sample events?

0 Karma

viji261992
Explorer

2018-10-06 08:33:04.248, eventid="160109240", eventuei="uei.opennms.org/XOM/threshold/wan_routers/int-rx-util-rearm", nodeid="15925", eventtime="2018-10-06 08:33:04.248", ipaddr="x.x.x.x", eventlogmsg="Interface Gi2/0/2 on GQEGJ-WANRTC002 RX (58.21%) exceeded threshold has cleared", eventseverity="3", alarmid="24607406", nodelabel="GQEGJ-WANRTC002"

This is the log that we are getting from our tools
Search : index=opennms sourcetype=event

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@viji261992

Can you please describe below fields? I need hostname , device name and correlation idea as per your requirement.

alarmid
eventid
eventlogmsg
eventseverity
eventtime
eventuei
ipaddr
nodeid
nodelabel

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...