Splunk Search

How to ignore timestamp to group events and show # of occurences by ComputerName

cmahan
Path Finder

I need to run weekly reports that show all Error Messages that have occurred and have it split by the computernames and a count of the number of errors for each. Been searching all over and just more confused. It should look something like this

Execute Method: WriteToDB procedure: Out of memory 189 Total
Pc1 - 25
Pc2 - 44
Server1 - 120
"The operation has timed out.", 432 Total
Pc1 - 390
Pc2 - 20
Server1 - 22

Layout/format not as important as content being there.

We have several errors where the only difference is the timestamp on the Windows event. We are monitoring 150 servers. Any help would be very appreciated. Thanks!

Tags (2)
0 Karma

cmahan
Path Finder

Haven't had time to try... This looks very specific to just those sample errors.. I actually want to run it against all errors and Computers. 150 servers with lots of errors. like 300,000 for the week. I'll let you know. Going to try playing with stats as the other answer suggests first. Thanks.

0 Karma

linu1988
Champion

Did it work? i am not sure if we can achieve the format you are looking for in splunk search output.

0 Karma

cmahan
Path Finder

Thanks, do you mean a sample of our real logs to look at? Can i attach something here, or just paste in the window..?

0 Karma

lukejadamec
Super Champion

Try stats (one of my favorites)

somesearch that pulls the errors you're interested in | stats count by error_message,computer_name

Very easy to dress this up to make the output more readable.

0 Karma

lukejadamec
Super Champion

You might find that two stats searches work better for you.
One that counts the error types | stats count by error_message, to get you a total for each error message, and then one that counts the error messages for each computer | stats count by computer_name,error_message

0 Karma

lukejadamec
Super Champion

How many errors, and what is the field name?
How many servers, and I'm assuming the field name is host?
Stats should work fine for you. But, I could use some specifics.

0 Karma

cmahan
Path Finder

i did once get something using stats for another purpose.. couldn't recreate it when i went back again. 😞

0 Karma

linu1988
Champion

Let us try:
sourcetype=blah "Execute Method" OR "WriteToDB procedure" OR "Out of memory"|stats count as "Total_Error1"|table Total_Error1]|append [|search sourcetype=blah "Execute Method" OR "WriteToDB procedure" OR "Out of memory"|stats count as Error1 by host|table host,Error1]|append[|search sourcetype=blah "The operation has timed out."|stats count as "Total_Errors2"|table Total_Error2]|append [|search sourcetype=blah "The operation has timed out."|stats count as Error2 by host|table host,Error2]

Ugly, but we can have better one if we can have some logs.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...