Splunk Search

How can I display the seach results whcih are occured more than 3 times over last one hour

Ravi_c
New Member

Hi,

Im having the search events like this

23 Apr 2014 02:46:32,986 - 3339321692 [FtpTaskQueue] Error in Uploading Files
23 Apr 2014 02:46:31,672 - 3339320378 [FtpTaskQueue] Error in Uploading Files
23 Apr 2014 02:31:32,242 - 3338420948 [FtpTaskQueue] Error in Uploading Files
Here "Error in Uploading Files" has occured more than 3 times, at different times

so I need to display this error count as 3 under different hosts, I have areound 12 hosts whicha re have events like this.If the count is 2 for last one hour, then I should not display the host.

Please Help.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Ravi_c,

without any further details given, you could do something like this:

YourBaseSearchHere "Error in Uploading Files" | timechart span=1h count by host | where count>=3 

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

okay listen, like @Ayn said in the other post: we are not here to solve your problems, we can help you to solve them on your own! I gave you the direction, you have to walk the path on your own ... and a good starting point is here

0 Karma

Ravi_c
New Member

Its giving me the count, I dont want count to come in the rsult, I want the matching events (_raw), which are having more than the count 3.

I need to display the results if and only if the events count > 3.

0 Karma

linu1988
Champion

it's equal if you extract the name from the search or if it is there in the event itself the count wont change So @Mus 's search is the way to go.

YourBaseSearchHere earliest=-60m "uploading reports to FTP server" | stats count(_raw) as CNT | where CNT > 3

This is it!

0 Karma

Ravi_c
New Member

Hi,

Im using

YourBaseSearchHere earliest=-60m | regex _raw="uploading reports to FTP server" | fields _raw,host | stats count(_raw) as CNT | where CNT > 3

This is returing only total count, I need the _raw and host, so how can I write the search to get the _raw,host, If search count >=3.

0 Karma

MuS
SplunkTrust
SplunkTrust

Sorry but this search does not reflect your question, you asked for three event in one hour but your search checks for more then 2 and timechart spans 15minutes. Also is some placeholder or are you litteraly searching for this?

0 Karma

Ravi_c
New Member

Hi,

|timechart span=15m count by host| where count > 2|rename _time AS Time | eval Time=strftime(Time, "%d/%m/%Y %H:%M")

0 Karma

MuS
SplunkTrust
SplunkTrust

Did you consider the fact that you maybe don't have any errors currently?
If you could provide the exact search you did and maybe some more information it would be easier to help ... 'nothing was displaying ...' isn't helpful either

Ravi_c
New Member

Nothing was displaying with your solution

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!