I have a search that sends me the top 10 errors on all of our servers each morning:
error OR Error OR alert OR Alert OR fail* OR Fail* source="WMI:WinEventLog*" | top limit=10 Message
But this would be much more helpful if I could, for each error, see which server(s) it has occurred on.
I assume I need to run a subsearch to figure out which server(s) the error has ocurred?
Using a subsearch is overkill -- use stats
instead. Something like the following should work.
error OR alert OR fail source="WMI:WinEventLog*"
| stats count values(host) by Message
| sort - count
| head 10
Unless I'm mistaken, the strings you're searching for are case-insensitive. In fact, I had asked this a while back, but I don't think you can have Splunk do a case-sensitive search. So in your case, you really only need
error OR alert OR fail ...
Using a subsearch is overkill -- use stats
instead. Something like the following should work.
error OR alert OR fail source="WMI:WinEventLog*"
| stats count values(host) by Message
| sort - count
| head 10
Perfect, thank you