Solved: Why is my search to chart server errors per host o...

synking · ‎10-18-2018

Hey all,

I am trying to show all iis errors separated by host over a 24 hour period. But, when I run the below command, it completes and says it has 200,000 plus results, but nothing shows up in the graph. Can anyone assist?

Thanks.

host="**"  | chart list(host) over time by count(sc_status) span=1d

synking · ‎10-19-2018

I was able to get the results I wanted by using the below command.

|bin _time span=1d | chart sum(sc_status) list(sort(sc_status)) by host,sc_status

View solution in original post

synking · ‎10-19-2018

I was able to get the results I wanted by using the below command.

|bin _time span=1d | chart sum(sc_status) list(sort(sc_status)) by host,sc_status

Vijeta · ‎10-18-2018

host="*" | bin span=1d _time| stats count(sc_status)  as count by host sc_status

synking · ‎10-19-2018

Thank you this gets me more than I was able to before. But the chart will only show one server. Is there a way to show all servers and separate the status by status type instead of total count

Why is my search to chart server errors per host over a 24 hour period not working?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?