Solved: Search query for syslog in dashboard

mkrishnamoorthy · ‎06-12-2019

Hey all,

Am in a need of dashboard to see my syslog traffic for four arista switches as mentioned below:

AA-UKD-AA-SW01 :- Port 3050
AA-UKD-AA-SW02 :- Port 3051
AA-UKM-AA-SW01 :- Port 3052
AA-UKM-AA-SW02 :- Port 3053

Added search query as:

index=inf* sourcetype=syslog host=AA-UKD-AA-SW* OR host=AA-UKM-AA-SW* | timechart span=1m count by host

Does the above mentioned query is right?

Thanks in advance.

jnudell_2 · ‎06-13-2019

Hi @mkrishnamoorthy ,
If you're looking for the count of syslog events for each device broken down per minute over time, then this is the right search. Generally, you don't need to specify a span= value for timechart because it automatically picks the most appropriate value given the time range used in the search.

View solution in original post

jnudell_2 · ‎06-13-2019

Hi @mkrishnamoorthy ,
If you're looking for the count of syslog events for each device broken down per minute over time, then this is the right search. Generally, you don't need to specify a span= value for timechart because it automatically picks the most appropriate value given the time range used in the search.

kmorris_splunk · ‎06-13-2019

This will show the number of events over time by host. Is that what you are trying to do? Or is there a value in the events that you want to sum for each host?

mkrishnamoorthy · ‎06-13-2019

yes, am looking for number of events. I think am right.

Search query for syslog in dashboard

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?