Splunk Search

I am not getting the right query for searching 2 different errors on same one server

stagare
New Member

For example, below query, the host is prodsrvhpsm01 and I am searching for 2 different errors error1 and error2 but below query is not giving data/response. Please let me know how to frame the query or chapter in this help documents.

host=prodsrvhpsm01 error1 error2 | timechart span=1d count by host

Tags (2)
0 Karma

niketn
Legend

@stagare... Are error1 and error2 extracted fields or String in your raw data? Can you add couple of dummy data for each? Also you have done stats aggregate by host, however, in your base search you have defined only one host. Only if there are multiple hosts there would be a point to split the statistics by host.

Nevertheless, the following should work (Notice that error1 and error2 both can be added in our base search using OR. If you dont define anything Splunk treats the same as AND and will return only those events which have both error1 and error2 in same event :

 <YourBaseSearchWithIndexAndSourcetype> host=* "error1" OR "error2" 
| timechart span=1d count(eval(searchmatch("error1"))) as Error1 count(eval(searchmatch("error2"))) as Error2 by host

PS: I have used searchmatch for count. However the same may change based on what is the actual data/field you are using in your Splunk environment.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...