Essentially, all I want to do is get a report of o...

papajon0s1 · ‎03-23-2017

Here's the thing, all the features in Splunk are great and all that, but all I need is a report emailed to us daily that lists all our Windows server's event log errors, criticals, and warnings from the Application and System logs sorted by most frequent error and then per host. I cannot find or figure out how to do this and it seems it should be like Splunk 101 type stuff. I have the light version running now and I feel I really don't need all the Enterprise stuff and certainly not if I can't get this one report to go. Either I am missing the point of missing something really obvious I think. Any help is greatly appreciated. Thanks.

woodcock · ‎03-23-2017

First: work on a search that filters in only the stuff that you would like to present. This is the hardest part but it should be pretty straightforward and FUN.
Click on the Save as menu in the upperish-right area and select Report.
On the Your Report Has Been Created dialog, select the Schedule link.
Click the Schedule report box.
Set the Schedule to Run every day.
Set the Timerange to Yesterday.
Set the Schedule Window to Auto.
Click the green Next button.
Click the Send email box.
Fill out that form.
Click Save.
Upvote any helpful answers.
Click Accept on the best/most-helpful answer.
Enjoy!

You must also go to the Settings -> Server settings -> Email settings and configure this correctly before the emails will work.

woodcock · ‎03-23-2017

What data is coming in to splunk already? What does this data look like? What searches have you tried?

papajon0s1 · ‎03-23-2017

Thanks for the reply. I just started this about a week ago and I added all our Windows servers and all I put in was the event log for Application and System. That's all I need at this point. Normal keyword searches seem to work ok. The goal was to email a report to the appropriate IT folks every day so you can eyeball issues that seem to pop up from time to time. Right now I go through the logs manually as part of out IT processes and it would be great to simply automate that task.

adonio · ‎03-23-2017

Hi papajon0s1,
are you using the Windows TA ?
here is a search that works for me when using the TA:
index = wineventlog sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System" Type=Error OR Type=Warning | table _time host LogName EventCode Message

you can remove the eval statement, just used it to mask my hostname
hope it helps

papajon0s1 · ‎03-23-2017

Adonio, yes, I believe that's the one add-on I enabled. In fact, it updated this AM. Just playing a bit, if I do "index = *" and leave the source types then I get no results. If I remove the source types entirely then I get a ton of info. Just using the TA, I managed to get a pre-built dashboard to show up but that also returns no results.

adonio · ‎03-23-2017

can you verify you have the correct data?
index = * | stats count by sourcetype
check if you see the correct sourcetypes in results:
1. WinEventLog:Application"
2. sourcetype="WinEventLog:System
if you dont see the data we will work on inputs on your add-on

papajon0s1 · ‎03-23-2017

Ok, it comes back with this:

WMI:WinEventLog:Application
WMI:WinEventLog:System

adonio · ‎03-23-2017

i see, so you are collecting via WMI
just modify the search i shows above to reflect it
sourcetype = WMI:... OR sourcetype = WMI: ....
btw, since youre just starting, its ok to use it but i will suggest using the Universal Forwarder and not WMI.
you can read about it in docs:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/ConsiderationsfordecidinghowtomonitorWindows...

papajon0s1 · ‎03-23-2017

Ok, thanks. I have data now when I set the index = * and the corrected sourcetype. Now... to get them to report how I want them to!

adonio · ‎03-23-2017

Great!
please close the question by clicking on accept answer
cheers!

papajon0s1 · ‎03-23-2017

I thought I commented, but maybe it did not take so sorry if this is a repeat comment. Anyway, I tired your search (minus the eval) and it returned no results. Odd. Other simple keyword searches work fine. Again, I am only a week in so a lot of the search criteria is currently above my learning curve. That said, maybe I can play with that a bit and see if I can discover what's missing in the search criteria.

aaraneta_splunk · ‎03-23-2017

@papajon0s1 - Just so you know, since you're a new user to Answers; your questions, answers, and comments get sent to the moderation queue to be reviewed before publishing. This would explain the delay in seeing your comment live on your post. Please be patient with the moderation team while this happens. Thanks!

adonio · ‎03-23-2017

try index = * instead of index = wineventlog
do you use the Windows TA? https://splunkbase.splunk.com/app/742/

papajon0s1 · ‎03-23-2017

Adonio, thanks for the reply. I did enable the Windows TA add-on (Hopefully, successfully!). I tried your search straight up copy and it returned no results, darn. The searches are still above my current learning curve (only been playing with this about a week now) but maybe I can try a few versions off that and see if I can get any data to come back.

Essentially, all I want to do is get a report of our Widnows server event logs sorted by most frequent errors per host. I can't seem to get that and feel I am missign somethign obvious here.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...