Splunk Search

Search query for syslog in dashboard

mkrishnamoorthy
Explorer

Hey all,

Am in a need of dashboard to see my syslog traffic for four arista switches as mentioned below:

AA-UKD-AA-SW01 :- Port 3050
AA-UKD-AA-SW02 :- Port 3051
AA-UKM-AA-SW01 :- Port 3052
AA-UKM-AA-SW02 :- Port 3053

Added search query as:

index=inf* sourcetype=syslog host=AA-UKD-AA-SW* OR host=AA-UKM-AA-SW* | timechart span=1m count by host

Does the above mentioned query is right?

Thanks in advance.

0 Karma
1 Solution

jnudell_2
Builder

Hi @mkrishnamoorthy ,
If you're looking for the count of syslog events for each device broken down per minute over time, then this is the right search. Generally, you don't need to specify a span= value for timechart because it automatically picks the most appropriate value given the time range used in the search.

View solution in original post

jnudell_2
Builder

Hi @mkrishnamoorthy ,
If you're looking for the count of syslog events for each device broken down per minute over time, then this is the right search. Generally, you don't need to specify a span= value for timechart because it automatically picks the most appropriate value given the time range used in the search.

kmorris_splunk
Splunk Employee
Splunk Employee

This will show the number of events over time by host. Is that what you are trying to do? Or is there a value in the events that you want to sum for each host?

0 Karma

mkrishnamoorthy
Explorer

yes, am looking for number of events. I think am right.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...