Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: When using sparkline to display a table, why a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jward6004
Explorer
03-02-2017
11:03 AM
I'm not able to populate the host field with information when using the search below. When I look at the events tab, I see these common fields shown such as host, ComputerName, ServerType but for some reason it's not populating in the table. Did I leave it out of my stats pipe and that's why it's not working?
Search:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) as lasttime count(source_exception) as Total by source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-02-2017
11:12 AM
Your stats line throws away the host value. Try something like this:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) AS lasttime count(source_exception) AS Total values(host) AS host BY source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-02-2017
11:12 AM
Your stats line throws away the host value. Try something like this:
index=example host=*fx* source="WinEventLog:Application" Type="Error" AND SourceName!="EmailManagerService" Message!="*Certificate enrollment for PROFLOWERS*"
| eval source_exception = SourceName.":".Message
| stats sparkline max(_time) AS lasttime count(source_exception) AS Total values(host) AS host BY source_exception
| eval lasttime=strftime(lasttime, "%Y/%m/%d %T.%3Q")
| table Total, lasttime, host, sparkline, source_exception
| sort -Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jward6004
Explorer
03-02-2017
11:47 AM
Thanks @woodcock
Get Updates on the Splunk Community!
Updated Team Landing Page in Splunk Observability
We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
