Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the top 10 error codes by each host and display the count in a table?

SathyaNarayanan
Path Finder
‎11-07-2016 02:40 AM

Hi,

I have list of servers, I need to find top Event Codes errors for each host, as each host as different Event codes. How to list them in a single table and show the number of Event codes count?

Eg; The table should be like below

Host 
acdc   5678    1842   7415
adfdf  3485    7684   1582
0 Karma
Reply

Rocket66
Communicator
‎11-10-2016 07:50 AM

Why not :

... base_search ... | top EventCode by host

Quite simple ... or I missed something ... ?

0 Karma
Reply

niketn
Legend
‎11-07-2016 06:43 AM

I have edited my answer as per you last example to display top 10 host names and EventCode. Try the following:

your base search | eval myField= host + " - " + EventCode| top 10 myField showperc=f

-----Editing answer again--- Following will give top 10 EventCode counts over all hosts:. Please try and confirm(eventstats will add ECCount field to all existing event which can be used in stats sum command later):

your base search here | eventstats count as ECCount by EventCode | chart limit=10 userother=f sum(ECCount) over host by EventCode

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎11-09-2016 04:29 AM

Above query should return result in the following format:

HOSTA - EventCode1 Count1
HOSTA - EventCode2 Count2
....

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-10-2016 01:21 AM

Thanks for your response, but with the above query its showing only 10 servers, with the event code & count.

i need the list of all server with the 10 errors as the column in it.

Host A EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host B EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host C EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host D EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host E EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host F EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host G EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode

0 Karma
Reply

niketn
Legend
‎11-10-2016 02:23 AM

I have added a second search query as per your example above. Can you check and confirm whether it works for you or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-10-2016 02:53 AM

i tried with your new query, that is also not helping it.

Thanks for your time

0 Karma
Reply

niketn
Legend
‎11-10-2016 03:08 AM

Do you mean the output is not what you expect or does the query has any issue? Can you share the output?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

javiergn
Super Champion
‎11-07-2016 03:08 AM

See if the following works for you:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode, list(count) as count by host

Thanks,
J

0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-09-2016 02:00 AM

When i execute the above command, am getting the results as below

host 3688 10016 7001 5722 ......................................
asdfd 0 0 1 0
kjhl 0 1 0 0
mk; 1 0 0 0

It goes on like this

0 Karma
Reply

javiergn
Super Champion
‎11-09-2016 02:23 AM

Sorry but your example doesn't really help as I don't know what the numbers mean. Are they counts? are they event codes?

Something like this would help:

HOSTA EventCode1 Count1
HOSTA EventCode2 Count2
....
0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-09-2016 02:35 AM

Need to show top errors for each host with event code count

0 Karma
Reply

javiergn
Super Champion
‎11-10-2016 06:56 AM

Based on your answers below I'm guessing this is what you are looking for:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode by host
| eval EventCode = mvjoin(EventCode, " ")

This would give you a similar output to the one you listed below:

Host A EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host B EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host C EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host D EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host E EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host F EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host G EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...