Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Table for Linux Message Log Error and Warning Logs

marendra
Explorer
‎05-19-2011 01:39 AM

Hi

I have quite number of Linux machine and I have sent their logs to my Splunk. The scenario is I would like to get the table similar like below:

Hostname Errors Warnings

HostA 4 4

HostB 44 1

I twisted my brain to do this since I am new to Splunk. Not like Windows, Windows log has Type field, where Linux log messages never categorize the log criticality. So I need to do my self. This is the one that I do:

sourcetype="messages" fail | stats count as fails by host | join host [search sourcetype="messages" error | stats count as errs by host] | stats values(fails), values(errs) by host | rename values(fails) as Failures | rename values(errs) as Errors | rename host as Hostname

It works and I can put in the table. But, When I click it, it will come out with no result. Is ther any better way? or is there a way to put html link below my table on my dashboard, for example, drilldown. So user can just click that one and I can turn of the drilldown in the table.

Please help

Thanks a lot

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎11-15-2013 08:36 AM

So it seems like the default drilldown from your dashboard table is not passing the whole query/correct query to flashtimeline, so you are getting no data. you might have a Redirector module within your table module. you can configure it to pass the exact query that you want to pass in the arg.q parameter. You can customize it with the row/field user clicked.

 <module name="Redirector">
      <param name="popup">True</param>
      <param name="url">flashtimeline</param>
      <param name="arg.earliest">$search.timeRange.earliest$</param>
      <param name="arg.latest">$search.timeRange.latest$</param>
      <param name="arg.q">search index=$index$ sourcetype="$sourcetype$" source="$source$" $click.fields.Field Name$</param>
</module>
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...