Splunk search for Splunk errors
Copy
index=_internal sourcetype=splunkd log_level="ERROR"
| stats sparkline count dc(host) as hosts latest(event_message) as last_raw_msg values(sourcetype) as sourcetype last(_time) as last_msg_time first(_time) as first_msg_time values(index) as index by punct
| convert ctime(last_msg_time) ctime(first_msg_time)
| table last_raw_msg count hosts sourcetype index first_msg_time last_msg_time sparkline | rename last_raw_msg as "Error", count as Count, hosts as "Affected Hosts", sourcetype as Sourcetype, index as Index, first_msg_time as "First Occurence", last_msg_time as "Most Recent Occurence", sparkline as Trend
| sort - Count
This Splunk search will provide detailed information on errors found within the splunkd log. The search outputs information such as how many times the error has been witnessed, how many hosts it has occurred on, the first time it occurred and the most recent time that it occurred.