Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to ignore timestamp to group events and show # of occurences by ComputerName

cmahan
Path Finder
‎08-14-2013 10:50 AM

I need to run weekly reports that show all Error Messages that have occurred and have it split by the computernames and a count of the number of errors for each. Been searching all over and just more confused. It should look something like this

Execute Method: WriteToDB procedure: Out of memory 189 Total
Pc1 - 25
Pc2 - 44
Server1 - 120
"The operation has timed out.", 432 Total
Pc1 - 390
Pc2 - 20
Server1 - 22

Layout/format not as important as content being there.

We have several errors where the only difference is the timestamp on the Windows event. We are monitoring 150 servers. Any help would be very appreciated. Thanks!

Tags (2)
0 Karma
Reply

cmahan
Path Finder
‎08-14-2013 12:46 PM

Haven't had time to try... This looks very specific to just those sample errors.. I actually want to run it against all errors and Computers. 150 servers with lots of errors. like 300,000 for the week. I'll let you know. Going to try playing with stats as the other answer suggests first. Thanks.

0 Karma
Reply

linu1988
Champion
‎08-14-2013 11:41 AM

Did it work? i am not sure if we can achieve the format you are looking for in splunk search output.

0 Karma
Reply

cmahan
Path Finder
‎08-14-2013 11:25 AM

Thanks, do you mean a sample of our real logs to look at? Can i attach something here, or just paste in the window..?

0 Karma
Reply

lukejadamec
Super Champion
‎08-14-2013 11:12 AM

Try stats (one of my favorites)

somesearch that pulls the errors you're interested in | stats count by error_message,computer_name

Very easy to dress this up to make the output more readable.

0 Karma
Reply

lukejadamec
Super Champion
‎08-15-2013 07:58 AM

You might find that two stats searches work better for you.
One that counts the error types | stats count by error_message, to get you a total for each error message, and then one that counts the error messages for each computer | stats count by computer_name,error_message

0 Karma
Reply

lukejadamec
Super Champion
‎08-14-2013 11:57 AM

How many errors, and what is the field name?
How many servers, and I'm assuming the field name is host?
Stats should work fine for you. But, I could use some specifics.

0 Karma
Reply

cmahan
Path Finder
‎08-14-2013 11:26 AM

i did once get something using stats for another purpose.. couldn't recreate it when i went back again. 😞

0 Karma
Reply

linu1988
Champion
‎08-14-2013 11:11 AM

Let us try:
sourcetype=blah "Execute Method" OR "WriteToDB procedure" OR "Out of memory"|stats count as "Total_Error1"|table Total_Error1]|append [|search sourcetype=blah "Execute Method" OR "WriteToDB procedure" OR "Out of memory"|stats count as Error1 by host|table host,Error1]|append[|search sourcetype=blah "The operation has timed out."|stats count as "Total_Errors2"|table Total_Error2]|append [|search sourcetype=blah "The operation has timed out."|stats count as Error2 by host|table host,Error2]

Ugly, but we can have better one if we can have some logs.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...