Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

most common events

tlow
Explorer
‎05-21-2014 12:11 PM

Hello, in my search how do i find most common events.

tried this | cluster | table cluster_count, _raw | sort - cluster_count
but not displaying the cluster_count.

need to find what errors are generated the most.
Thanks

0 Karma
Reply

lguinn2
Legend
‎05-21-2014 12:31 PM

The problem as I see it: you need to decide how to group the events. You can try cluster but it better if you define "common".

Here is one possible search:

error* | stats count by source sourcetype host | sort -count

This will give you a count of the events that contain the word "error", with the most common host source and sourcetype listed first in the list.

Here is another - this also groups the errors by including a few of the characters that surround the word "error"

error* | rex "(?<msg>.{0,25}error.{0,25})"  | stats count by source sourcetype host msg | sort -count
0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...