Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to correlate Application log and Server logs

aaru
New Member
‎10-14-2013 11:03 PM

Hi,

We are trying to create a chart containing application error logs and the logs of the corresponding server to relate application issues with the server behaviour.

Kindly advise if any existing apps are available / steps to create a custom chart.

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-16-2013 09:39 AM

If you want to find an event in the first log, then extract the timerange of the crash event. And use it to retrieve the system logs around the same time period,

You can look at those methods :
http://answers.splunk.com/answers/75204/create-time-range-from-times-gleaned-from-one-search-to-perf...

Or use a search on both logs of the same host at the same time, and display the cpu/mem timechart and a count of crash events in a timechart.

pseudo search :
(sourcetype=application AND crash ) OR ( sourcetype=system cpu OR mem) | eval crash_event=if(sourcetype="application",1,0) | timechart avg(cpu) avg(mem) sum(crash_event)

0 Karma
Reply

piebob
Splunk Employee
Splunk Employee
‎10-15-2013 01:31 PM

note: there is a bug in Splunk Answers that doesn't bring the app tag across when you click 'ask a question' on the app page on apps.splunk.com, which is why this question has less context than expected :).

0 Karma
Reply

lukejadamec
Super Champion
‎10-15-2013 06:41 AM

One way to start an investigation like this is to search the time frame prior to the failure for every log for that server. If you use a time span long enough you might see spikes or gaps in activity.

The easiest way to corelate Application and Security logs is by time. For very short time spans I find a table with _time,Message handy because it basically gives you a timeline of events.

0 Karma
Reply

aaru
New Member
‎10-15-2013 04:13 AM

"Here's the scenario: we have a business application and it has crashed due to unknown issues. we want to check the application generated error logs such as table data / log files against the server data such as CPU usage by process, Memory usage by process, Disk I/O usage by process during the time of crash to find a root cause of the issue."

Please advise on the same

0 Karma
Reply

Ayn
Legend
‎10-14-2013 11:17 PM

This question is WAY too generic for us to be able to offer you any useful advice. What server logs? What application logs? How would you want to correlate them? Exactly what should the chart show? In what sense would it be custom? Etc, etc, etc...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...