Your best bet would be to find your error events, and then create eventtypes for them. You would then be able to search for the eventtype, and get a count of the hosts. For example:
index=firewall eventtype=fw_input_errors | stats count by host
For the time period you can use the time picker, or add it to the search:
earliest=-7d latest=now index=firewall eventtype=fw_input_errors | stats count by host
More on eventtypes:
http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Defineeventtypes
http://docs.splunk.com/Documentation/Splunk/latest/Admin/eventtypesconf
HTH,
Dave
Are you able to find the error events that you want to count in your data?
Thanks Dave.. But maybe becuase i am such a newb.. i am still lost.. I have about 100 cisco switches and routers across MPLS.. But i want to see the to 10 devices give the most errors over a 7 days period. I have a deadline i am trying to meet for Tuesday and i am really stuck.
Thank you in advance.
I want to see the cisco devices that has the most input/output errors over a 7 days period. The below is for one of my devices.
Total Counters since 01/17/13 04:30 PM EST
286663 input errors, 0 output errors
0 input discards, 0 output discards
11570 interface resets, 69 carrier transitions
Can you provide a sample of your logs ?