Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I am not getting the right query for searching 2 different errors on same one server

stagare
Explorer
‎04-11-2017 02:25 AM

For example, below query, the host is prodsrvhpsm01 and I am searching for 2 different errors error1 and error2 but below query is not giving data/response. Please let me know how to frame the query or chapter in this help documents.

host=prodsrvhpsm01 error1 error2 | timechart span=1d count by host

Tags (2)
0 Karma
Reply

niketn
Legend
‎04-11-2017 04:26 AM

@stagare... Are error1 and error2 extracted fields or String in your raw data? Can you add couple of dummy data for each? Also you have done stats aggregate by host, however, in your base search you have defined only one host. Only if there are multiple hosts there would be a point to split the statistics by host.

Nevertheless, the following should work (Notice that error1 and error2 both can be added in our base search using OR. If you dont define anything Splunk treats the same as AND and will return only those events which have both error1 and error2 in same event :

 <YourBaseSearchWithIndexAndSourcetype> host=* "error1" OR "error2" 
| timechart span=1d count(eval(searchmatch("error1"))) as Error1 count(eval(searchmatch("error2"))) as Error2 by host

PS: I have used searchmatch for count. However the same may change based on what is the actual data/field you are using in your Splunk environment.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...