Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to correlate hosts from event logs to group certain servers in one dashboard or report?

anupjishnu
Path Finder
‎10-06-2014 12:23 PM

I have multiple servers for which I am monitoring event logs via Splunk. The servers are owned by different teams. There is no information about team in the event log messages. I want to group the servers via team names in "one" graph (dashboard or report). The mapping between team and servers is internal.

e.g:
Team A = Server1, Server 3, Server 5
Team B = Server2, Server6
Team C = Server4, Server7, Server8

Event logs have Host field holding server name (e.g: Server3). But no information about team is stored in the event log.

I want one panel which will show errors in last 24 hours by team.
X-Axis: Timespan count by hour
Y-Axis: Number of errors
3 columns per hour - one for each team

Query for errors by host:
(Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

Since field for team does not exist, I cannot use avg.
I tried to use subsearch with but it was giving fewer results than what I could get from the above query which tells me it is not correct.
How do I query the report?

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-06-2014 01:03 PM

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this 

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-06-2014 01:03 PM

Hi anupjishnu,

you could use eventtype to group the servers into teams, take a look at the docs. So you can build an eventtype named TeamA which referees to a search like this 

host=Server1 OR host=Server OR host=Server 5

Next you can use this eventtype in the search like this:

eventtype=TeamA (Type="Error") (wmi_type="WinEventLog:Application") | timechart span=1h count by host

hope this helps to get you started ...

cheers, MuS

Reply
Solved! Jump to solution

anupjishnu
Path Finder
‎10-06-2014 01:46 PM

I think this is exactly what I am looking for. I will work on it and keep this thread updated.
Update: This is it 🙂

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...