Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the top 10 error codes by each host and display the count in a table?

SathyaNarayanan
Path Finder
‎11-07-2016 02:40 AM

Hi,

I have list of servers, I need to find top Event Codes errors for each host, as each host as different Event codes. How to list them in a single table and show the number of Event codes count?

Eg; The table should be like below

Host 
acdc   5678    1842   7415
adfdf  3485    7684   1582
0 Karma
Reply

Rocket66
Communicator
‎11-10-2016 07:50 AM

Why not :

... base_search ... | top EventCode by host

Quite simple ... or I missed something ... ?

0 Karma
Reply

niketn
Legend
‎11-07-2016 06:43 AM

I have edited my answer as per you last example to display top 10 host names and EventCode. Try the following:

your base search | eval myField= host + " - " + EventCode| top 10 myField showperc=f

-----Editing answer again--- Following will give top 10 EventCode counts over all hosts:. Please try and confirm(eventstats will add ECCount field to all existing event which can be used in stats sum command later):

your base search here | eventstats count as ECCount by EventCode | chart limit=10 userother=f sum(ECCount) over host by EventCode

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎11-09-2016 04:29 AM

Above query should return result in the following format:

HOSTA - EventCode1 Count1
HOSTA - EventCode2 Count2
....

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-10-2016 01:21 AM

Thanks for your response, but with the above query its showing only 10 servers, with the event code & count.

i need the list of all server with the 10 errors as the column in it.

Host A EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host B EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host C EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host D EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host E EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host F EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host G EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode

0 Karma
Reply

niketn
Legend
‎11-10-2016 02:23 AM

I have added a second search query as per your example above. Can you check and confirm whether it works for you or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-10-2016 02:53 AM

i tried with your new query, that is also not helping it.

Thanks for your time

0 Karma
Reply

niketn
Legend
‎11-10-2016 03:08 AM

Do you mean the output is not what you expect or does the query has any issue? Can you share the output?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

javiergn
Super Champion
‎11-07-2016 03:08 AM

See if the following works for you:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode, list(count) as count by host

Thanks,
J

0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-09-2016 02:00 AM

When i execute the above command, am getting the results as below

host 3688 10016 7001 5722 ......................................
asdfd 0 0 1 0
kjhl 0 1 0 0
mk; 1 0 0 0

It goes on like this

0 Karma
Reply

javiergn
Super Champion
‎11-09-2016 02:23 AM

Sorry but your example doesn't really help as I don't know what the numbers mean. Are they counts? are they event codes?

Something like this would help:

HOSTA EventCode1 Count1
HOSTA EventCode2 Count2
....
0 Karma
Reply

SathyaNarayanan
Path Finder
‎11-09-2016 02:35 AM

Need to show top errors for each host with event code count

0 Karma
Reply

javiergn
Super Champion
‎11-10-2016 06:56 AM

Based on your answers below I'm guessing this is what you are looking for:

your base search here
| stats count by EventCode, host
| sort limit=0 host, - count
| streamstats count as top by host
| where top <= 10
| stats list(EventCode) as EventCode by host
| eval EventCode = mvjoin(EventCode, " ")

This would give you a similar output to the one you listed below:

Host A EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host B EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host C EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host D EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host E EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host F EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode
Host G EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode EventCode

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...