Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I am not getting the right query for searching 2 different errors on same one server

stagare
Explorer
‎04-11-2017 02:25 AM

For example, below query, the host is prodsrvhpsm01 and I am searching for 2 different errors error1 and error2 but below query is not giving data/response. Please let me know how to frame the query or chapter in this help documents.

host=prodsrvhpsm01 error1 error2 | timechart span=1d count by host

Tags (2)
0 Karma
Reply

niketn
Legend
‎04-11-2017 04:26 AM

@stagare... Are error1 and error2 extracted fields or String in your raw data? Can you add couple of dummy data for each? Also you have done stats aggregate by host, however, in your base search you have defined only one host. Only if there are multiple hosts there would be a point to split the statistics by host.

Nevertheless, the following should work (Notice that error1 and error2 both can be added in our base search using OR. If you dont define anything Splunk treats the same as AND and will return only those events which have both error1 and error2 in same event :

 <YourBaseSearchWithIndexAndSourcetype> host=* "error1" OR "error2" 
| timechart span=1d count(eval(searchmatch("error1"))) as Error1 count(eval(searchmatch("error2"))) as Error2 by host

PS: I have used searchmatch for count. However the same may change based on what is the actual data/field you are using in your Splunk environment.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...