"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
Combining 'timechart' and 'top' in a report? (looking for printers with most pages printed)
I'm a very beginning Splunk user. My main job is on the phones/email in the call center, but I'm also involved with all the printer maintenance on project. Got into Splunk in an effort to build some reports on printer usage, and later on reporting frequent printer errors in an effort to find problem printers early. We've had it running for awhile, but I'm really the first person here to start messing with it.
Anyway, I've managed fairly easily to get a search/report on pages printed.
host="printserver" source="WinEventLog:System" Pages="*" | timechart sum(Pages)
From the print server, narrow it down to System events, and only ones that have a page count field, then graph it out. Gonna work great for looking at our monthly print quantities.
What I'd like to do is figure out the individual printers that have printed the most pages. Then select whatever timeframe I'm looking at.
I can easily get the top printers with the following, but it only gives me the ones with the most print jobs, not most pages.
host="printserver" source="WinEventLog:System" Pages="*" | top printer limit=30
I'm trying to figure out how to combine the two, but just not getting anywhere. Either its something simple that I'm overlooking or don't know about, or its going to be something a little odd.
Any ideas?
Anyway, I've managed fairly easily to get a search/report on pages printed.
host="printserver" source="WinEventLog:System" Pages="*" | timechart sum(Pages)
From the print server, narrow it down to System events, and only ones that have a page count field, then graph it out. Gonna work great for looking at our monthly print quantities.
What I'd like to do is figure out the individual printers that have printed the most pages. Then select whatever timeframe I'm looking at.
I can easily get the top printers with the following, but it only gives me the ones with the most print jobs, not most pages.
host="printserver" source="WinEventLog:System" Pages="*" | top printer limit=30
I'm trying to figure out how to combine the two, but just not getting anywhere. Either its something simple that I'm overlooking or don't know about, or its going to be something a little odd.
Any ideas?
Views: 50
Replies to This Discussion
-
Permalink Reply by Bob Munson on -
Ian
The timechart command can do a lot more than you are asking of it for instance if you want daily totals split by printer, you can use
host="printserver" source="WinEventLog:System" Pages="*" | timechart span=1d sum(Pages) as Pages/day by printer
Or if you want a top list of printers use the chart command, sort it and pick the top 30.
host="printserver" source="WinEventLog:System" Pages="*" | chart sum(Pages) as Pages/day over printer | sort -Pages/day | head 30
I hope that Helps
Bob
-
Permalink Reply by Ian Hoffman on
-
That is... EXCELLENT! Thanks!
That also got me going on some other stuff I'm working with, hadn't realized being able to chain the commands like that. Also doing the chart command with 'as' and 'over', going to be able to make use of that.
We're looking at printer use over the last 30 and 90 days, so my next step is to work on getting this as a summary index and then reporting on that. Then to work on having it in a dashboard view. And then working on getting printer errors captured in Splunk and getting those to a dashboard showing the printers with the most errors, hopefully finding the problem hardware before its a problem.
Still just getting going with this, but having fun, and know that I've got a ways to go.
© 2012 Created by Michael Wilde.
