Re: I am not getting the right query for searching...

stagare · ‎04-11-2017

For example, below query, the host is prodsrvhpsm01 and I am searching for 2 different errors error1 and error2 but below query is not giving data/response. Please let me know how to frame the query or chapter in this help documents.

host=prodsrvhpsm01 error1 error2 | timechart span=1d count by host

niketn · ‎04-11-2017

@stagare... Are error1 and error2 extracted fields or String in your raw data? Can you add couple of dummy data for each? Also you have done stats aggregate by host, however, in your base search you have defined only one host. Only if there are multiple hosts there would be a point to split the statistics by host.

Nevertheless, the following should work (Notice that error1 and error2 both can be added in our base search using OR. If you dont define anything Splunk treats the same as AND and will return only those events which have both error1 and error2 in same event :

 <YourBaseSearchWithIndexAndSourcetype> host=* "error1" OR "error2" 
| timechart span=1d count(eval(searchmatch("error1"))) as Error1 count(eval(searchmatch("error2"))) as Error2 by host

PS: I have used searchmatch for count. However the same may change based on what is the actual data/field you are using in your Splunk environment.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

I am not getting the right query for searching 2 different errors on same one server

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor