Here's the thing, all the features in Splunk are great and all that, but all I need is a report emailed to us daily that lists all our Windows server's event log errors, criticals, and warnings from the Application and System logs sorted by most frequent error and then per host. I cannot find or figure out how to do this and it seems it should be like Splunk 101 type stuff. I have the light version running now and I feel I really don't need all the Enterprise stuff and certainly not if I can't get this one report to go. Either I am missing the point of missing something really obvious I think. Any help is greatly appreciated. Thanks.
First: work on a search that filters in only the stuff that you would like to present. This is the hardest part but it should be pretty straightforward and FUN.
Click on the Save as
menu in the upperish-right area and select Report
.
On the Your Report Has Been Created
dialog, select the Schedule
link.
Click the Schedule report
box.
Set the Schedule
to Run every day
.
Set the Timerange
to Yesterday
.
Set the Schedule Window
to Auto
.
Click the green Next
button.
Click the Send email
box.
Fill out that form.
Click Save
.
Upvote any helpful answers.
Click Accept
on the best/most-helpful answer.
Enjoy!
You must also go to the Settings
-> Server settings
-> Email settings
and configure this correctly before the emails will work.
What data is coming in to splunk already? What does this data look like? What searches have you tried?
Thanks for the reply. I just started this about a week ago and I added all our Windows servers and all I put in was the event log for Application and System. That's all I need at this point. Normal keyword searches seem to work ok. The goal was to email a report to the appropriate IT folks every day so you can eyeball issues that seem to pop up from time to time. Right now I go through the logs manually as part of out IT processes and it would be great to simply automate that task.
Hi papajon0s1,
are you using the Windows TA ?
here is a search that works for me when using the TA:
index = wineventlog sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System" Type=Error OR Type=Warning | table _time host LogName EventCode Message
you can remove the eval statement, just used it to mask my hostname
hope it helps
Adonio, yes, I believe that's the one add-on I enabled. In fact, it updated this AM. Just playing a bit, if I do "index = *" and leave the source types then I get no results. If I remove the source types entirely then I get a ton of info. Just using the TA, I managed to get a pre-built dashboard to show up but that also returns no results.
can you verify you have the correct data?
index = * | stats count by sourcetype
check if you see the correct sourcetypes in results:
1. WinEventLog:Application"
2. sourcetype="WinEventLog:System
if you dont see the data we will work on inputs on your add-on
Ok, it comes back with this:
WMI:WinEventLog:Application
WMI:WinEventLog:System
i see, so you are collecting via WMI
just modify the search i shows above to reflect it
sourcetype = WMI:... OR sourcetype = WMI: ....
btw, since youre just starting, its ok to use it but i will suggest using the Universal Forwarder and not WMI.
you can read about it in docs:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/ConsiderationsfordecidinghowtomonitorWindows...
Ok, thanks. I have data now when I set the index = * and the corrected sourcetype. Now... to get them to report how I want them to!
Great!
please close the question by clicking on accept answer
cheers!
I thought I commented, but maybe it did not take so sorry if this is a repeat comment. Anyway, I tired your search (minus the eval) and it returned no results. Odd. Other simple keyword searches work fine. Again, I am only a week in so a lot of the search criteria is currently above my learning curve. That said, maybe I can play with that a bit and see if I can discover what's missing in the search criteria.
@papajon0s1 - Just so you know, since you're a new user to Answers; your questions, answers, and comments get sent to the moderation queue to be reviewed before publishing. This would explain the delay in seeing your comment live on your post. Please be patient with the moderation team while this happens. Thanks!
try index = * instead of index = wineventlog
do you use the Windows TA? https://splunkbase.splunk.com/app/742/
Adonio, thanks for the reply. I did enable the Windows TA add-on (Hopefully, successfully!). I tried your search straight up copy and it returned no results, darn. The searches are still above my current learning curve (only been playing with this about a week now) but maybe I can try a few versions off that and see if I can get any data to come back.