Solved: Top errors with hosts

jamesklassen · ‎06-22-2011

I have a search that sends me the top 10 errors on all of our servers each morning:

error OR Error OR alert OR Alert OR fail* OR Fail* source="WMI:WinEventLog*" | top limit=10 Message

But this would be much more helpful if I could, for each error, see which server(s) it has occurred on.

I assume I need to run a subsearch to figure out which server(s) the error has ocurred?

southeringtonp · ‎06-22-2011

Using a subsearch is overkill -- use stats instead. Something like the following should work.

error OR alert OR fail source="WMI:WinEventLog*"
| stats count values(host) by Message
| sort - count
| head 10

View solution in original post

mfrost8 · ‎06-23-2011

Unless I'm mistaken, the strings you're searching for are case-insensitive. In fact, I had asked this a while back, but I don't think you can have Splunk do a case-sensitive search. So in your case, you really only need

error OR alert OR fail ...

southeringtonp · ‎06-22-2011

Using a subsearch is overkill -- use stats instead. Something like the following should work.

error OR alert OR fail source="WMI:WinEventLog*"
| stats count values(host) by Message
| sort - count
| head 10

jamesklassen · ‎06-22-2011

Perfect, thank you

Top errors with hosts

Message Parsing in SOCK

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

Use ‘em or lose ‘em | Splunk training units do expire