index=_internal sourcetype=splunkd log_level="ERROR"
| stats sparkline count dc(host) as hosts latest(event_message) as last_raw_msg values(sourcetype) as sourcetype last(_time) as last_msg_time first(_time) as first_msg_time values(index) as index by punct
| convert ctime(last_msg_time) ctime(first_msg_time)
| table last_raw_msg count hosts sourcetype index first_msg_time last_msg_time sparkline | rename last_raw_msg as "Error", count as Count, hosts as "Affected Hosts", sourcetype as Sourcetype, index as Index, first_msg_time as "First Occurence", last_msg_time as "Most Recent Occurence", sparkline as Trend
| sort - Count
0 comments
[0]
[0]
[0]
[0]
index=_internal sourcetype="splunkd" log_level="ERROR" | stats sparkline count dc(host) as uniquehosts last(event_message) as event_message last(_time) as last first(_time) as first by punct | eval last=strftime(last,"%b %d, %Y %H:%M:%S"), first=strftime(first,"%b %d, %Y %H:%M:%S") | table event_message count uniquehosts first last sparkline | sort -count | rename event_message as "Error" count as Count uniquehosts as "Affected Hosts" first as "First Occurance" last as "Most Recent Occurance", sparkline as Trend
0 comments
[0]
[0]
[0]
[0]