Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to correlate Application log and Server logs

aaru
New Member
‎10-14-2013 11:03 PM

Hi,

We are trying to create a chart containing application error logs and the logs of the corresponding server to relate application issues with the server behaviour.

Kindly advise if any existing apps are available / steps to create a custom chart.

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-16-2013 09:39 AM

If you want to find an event in the first log, then extract the timerange of the crash event. And use it to retrieve the system logs around the same time period,

You can look at those methods :
http://answers.splunk.com/answers/75204/create-time-range-from-times-gleaned-from-one-search-to-perf...

Or use a search on both logs of the same host at the same time, and display the cpu/mem timechart and a count of crash events in a timechart.

pseudo search :
(sourcetype=application AND crash ) OR ( sourcetype=system cpu OR mem) | eval crash_event=if(sourcetype="application",1,0) | timechart avg(cpu) avg(mem) sum(crash_event)

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎10-15-2013 01:31 PM

note: there is a bug in Splunk Answers that doesn't bring the app tag across when you click 'ask a question' on the app page on apps.splunk.com, which is why this question has less context than expected :).

0 Karma
Reply

lukejadamec
Super Champion
‎10-15-2013 06:41 AM

One way to start an investigation like this is to search the time frame prior to the failure for every log for that server. If you use a time span long enough you might see spikes or gaps in activity.

The easiest way to corelate Application and Security logs is by time. For very short time spans I find a table with _time,Message handy because it basically gives you a timeline of events.

0 Karma
Reply

aaru
New Member
‎10-15-2013 04:13 AM

"Here's the scenario: we have a business application and it has crashed due to unknown issues. we want to check the application generated error logs such as table data / log files against the server data such as CPU usage by process, Memory usage by process, Disk I/O usage by process during the time of crash to find a root cause of the issue."

Please advise on the same

0 Karma
Reply

Ayn
Legend
‎10-14-2013 11:17 PM

This question is WAY too generic for us to be able to offer you any useful advice. What server logs? What application logs? How would you want to correlate them? Exactly what should the chart show? In what sense would it be custom? Etc, etc, etc...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...