Splunk Search

New user - trying to work out a report


I am a brand new Splunk user - could use a couple of pointers getting started on reporting...

I have a dataset that Splunk is indexing - incoming events contain a host name, event type, event description, IP address, support group etc. All the usual things you'd expect from a network monitoring environment.

I can generate a simple report that shows which hosts have the most entries, but what I need to do is something like this:

1) For a given time period (say the last week or last month) identify the hosts that have had more than some threshold number of alerts (say 100).

2) Generate a report that lists, by support group, the "count" of the number of hosts that had more than 100 alerts. Each event includes both the support group and the host name

3) Allow the user to drill down into a support group, and produce a table that lists all the hosts belonging to the support group who had more than 100 alerts.

4) Allow the user to drill down into a host and show the individual events that make up that 100+ alert list...

I can tell that all the required data is available within Splunk, but I have not been able to get a handle on how to extract and display that data. Any pointers to appropriate documentation, or examples of something similar would be good. I am using Splunk 4.x

For example, the top level of the report might be a table that looks like:

Support Group    Count
  ABC             2000
  DEF             2500
  GHI             1500

Then drilling down into DEF (can that be a link??) you would see:

HostName         Count
 def_001          222
 def_002          300
 def_003         1978

and and then you could drill down into def_002 to see the 300 individual events...

Any pointers would be appreciated. Thanks in advance,


Tags (2)
0 Karma

Re: New user - trying to work out a report

Splunk Employee
Splunk Employee

Looking at your first two requests, I believe the following should meet your needs:

1) [Search String] | stats count by host | where count > 100 -- Obviously you can use whatever search, or whatever stats you want.

2) Your first report could be: [Search string] | stats count as EventCount by host, SupportGroup | where count > 100 | stats count(host) by SupportGroup

For the dashboard, I think you should be able to do a standard drill down in the Advanced XML view for 3 and 4, but I'm not a drilldown expert. I'd recommend looking through the example here for having cascading dashboards, and seeing if you can copy and modify that enough to fit your needs. Alternatively, someone else might step and and provide more specific advice for you. If you run into questions with building dashboards, you can always also grabbing UI Examples off Splunkbase and look through some of the examples there.

View solution in original post

0 Karma