Splunk Search

How to find the top 10 error codes by each host and display the count in a table?

Path Finder

Hi,

I have list of servers, I need to find top Event Codes errors for each host, as each host as different Event codes. How to list them in a single table and show the number of Event codes count?

Eg; The table should be like below

Host 
acdc   5678    1842   7415
adfdf  3485    7684   1582
0 Karma

Communicator

Why not :

... base_search ... | top EventCode by host

Quite simple ... or I missed something ... ?

0 Karma

SplunkTrust
SplunkTrust

I have edited my answer as per you last example to display top 10 host names and EventCode. Try the following:

your base search | eval myField= host + " - " + EventCode| top 10 myField showperc=f

-----Editing answer again--- Following will give top 10 EventCode counts over all hosts:. Please try and confirm(eventstats will add ECCount field to all existing event which can be used in stats sum command later):

your base search here | eventstats count as ECCount by EventCode | chart limit=10 userother=f sum(ECCount) over host by EventCode

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Above query should return result in the following format:

HOSTA - EventCode1 Count1
HOSTA - EventCode2 Count2
....

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Thanks for your response, but with the above query its showing only 10 servers, with the event code & count.

i need the list of all server with the 10 errors as the column in it.

Host A EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host B EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host C EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host D EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host E EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host F EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host G EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode

0 Karma

SplunkTrust
SplunkTrust

I have added a second search query as per your example above. Can you check and confirm whether it works for you or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

i tried with your new query, that is also not helping it.

Thanks for your time

0 Karma

SplunkTrust
SplunkTrust

Do you mean the output is not what you expect or does the query has any issue? Can you share the output?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

See if the following works for you:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode, list(count) as count by host

Thanks,
J

0 Karma

Path Finder

When i execute the above command, am getting the results as below

host 3688 10016 7001 5722 ......................................
asdfd 0 0 1 0
kjhl 0 1 0 0
mk; 1 0 0 0

It goes on like this

0 Karma

SplunkTrust
SplunkTrust

Sorry but your example doesn't really help as I don't know what the numbers mean. Are they counts? are they event codes?

Something like this would help:

HOSTA EventCode1 Count1
HOSTA EventCode2 Count2
....
0 Karma

Path Finder

Need to show top errors for each host with event code count

0 Karma

SplunkTrust
SplunkTrust

Based on your answers below I'm guessing this is what you are looking for:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode by host
| eval EventCode = mvjoin(EventCode, " ")

This would give you a similar output to the one you listed below:

Host A EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host B EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host C EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host D EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host E EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host F EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host G EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!