topic Re: How to use events only from 'active' host? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-use-events-only-from-active-host/m-p/527050#M148771 <LI-CODE lang="markup">| makeresults | eval events="2020-10-07 11:13:29.283 app1 IDLE 2020-10-07 11:28:09.284 app1 IDLE 2020-10-07 11:51:17.138 app2 IDLE 2020-10-08 01:55:27.816 app1 app2 standby 2020-10-08 01:55:40.591 app2 app1 active 2020-10-08 13:37:01.284 app1 IDLE 2020-10-09 12:11:13.786 app2 IDLE 2020-10-12 09:01:49.119 app1 app2 active 2020-10-12 09:12:30.444 app2 app1 standby 2020-10-12 10:43:59.461 app2 IDLE 2020-10-12 10:57:41.298 app1 IDLE " | rex field=events max_match=0 "(?&lt;event&gt;.+)[\r\n]*" | mvexpand event | fields - events | rex field=event mode=sed "s/\t/,/g s/,,/,/g" | rex field=event "(?&lt;time&gt;[^,]+),(?&lt;host&gt;[^,]+),(?&lt;prev&gt;[^,]+),(?&lt;server&gt;[^,]+),(?&lt;server_state&gt;.*)" | fields - event _time | eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%Q") | fields - time | eval active_server=if(server_state="active",server,null) | eval active_state=if(server_state="active",server_state,null) | streamstats latest(active_server) as active_server latest(active_state) as active_state | eval server=if(prev="IDLE",active_server,server) | eval server_state=if(prev="IDLE",active_state,server_state) | fields - active_server active_state</LI-CODE> Thu, 29 Oct 2020 10:15:43 GMT ITWhisperer 2020-10-29T10:15:43Z How to use events only from 'active' host? https://community.splunk.com/t5/Splunk-Search/How-to-use-events-only-from-active-host/m-p/527001#M148749 <P>I have 2 different data set:</P><P>1. host and prevStatus field with IDLE value</P><P>2. server (same values as host) and server state with active/standby values.</P><P>I would like to use prevStatus events ONLY from the active server.&nbsp; My base search is something like</P><P>index=indx (host=app1 OR host app2) (prevStatus=IDLE OR (server_state=active OR server_state=standby))<BR /><BR />How do I mark all the prevStatus events so, that they have the current server_state field on them, so that I can then just filter</P><P>prevStatus=IDLE AND host=server AND server_state=active?</P><P>I think I need to use streamstats, but I did not quite get it there.</P><P>Example data table below:</P><P>&nbsp;</P><LI-CODE lang="markup">_time host prevStatus server server_state 2020-10-07 11:13:29.283 app1 IDLE 2020-10-07 11:28:09.284 app1 IDLE 2020-10-07 11:51:17.138 app2 IDLE 2020-10-08 01:55:27.816 app1 app2 standby 2020-10-08 01:55:40.591 app2 app1 active 2020-10-08 13:37:01.284 app1 IDLE 2020-10-09 12:11:13.786 app2 IDLE 2020-10-12 09:01:49.119 app1 app2 active 2020-10-12 09:12:30.444 app2 app1 standby 2020-10-12 10:43:59.461 app2 IDLE 2020-10-12 10:57:41.298 app1 IDLE</LI-CODE><P>&nbsp;</P><P>I think I need something like this:</P><LI-CODE lang="markup">_time host prevStatus server server_state 2020-10-07 11:13:29.283 app1 IDLE 2020-10-07 11:28:09.284 app1 IDLE 2020-10-07 11:51:17.138 app2 IDLE 2020-10-08 01:55:27.816 app1 app2 standby 2020-10-08 01:55:40.591 app2 app1 active 2020-10-08 13:37:01.284 app1 IDLE app1 active 2020-10-09 12:11:13.786 app2 IDLE app1 active 2020-10-12 09:01:49.119 app1 app2 active 2020-10-12 09:12:30.444 app2 app1 standby 2020-10-12 10:43:59.461 app2 IDLE app2 active 2020-10-12 10:57:41.298 app1 IDLE app2 active</LI-CODE> Thu, 29 Oct 2020 06:04:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-events-only-from-active-host/m-p/527001#M148749 JykkeDaMan 2020-10-29T06:04:54Z Re: How to use events only from 'active' host? https://community.splunk.com/t5/Splunk-Search/How-to-use-events-only-from-active-host/m-p/527050#M148771 <LI-CODE lang="markup">| makeresults | eval events="2020-10-07 11:13:29.283 app1 IDLE 2020-10-07 11:28:09.284 app1 IDLE 2020-10-07 11:51:17.138 app2 IDLE 2020-10-08 01:55:27.816 app1 app2 standby 2020-10-08 01:55:40.591 app2 app1 active 2020-10-08 13:37:01.284 app1 IDLE 2020-10-09 12:11:13.786 app2 IDLE 2020-10-12 09:01:49.119 app1 app2 active 2020-10-12 09:12:30.444 app2 app1 standby 2020-10-12 10:43:59.461 app2 IDLE 2020-10-12 10:57:41.298 app1 IDLE " | rex field=events max_match=0 "(?&lt;event&gt;.+)[\r\n]*" | mvexpand event | fields - events | rex field=event mode=sed "s/\t/,/g s/,,/,/g" | rex field=event "(?&lt;time&gt;[^,]+),(?&lt;host&gt;[^,]+),(?&lt;prev&gt;[^,]+),(?&lt;server&gt;[^,]+),(?&lt;server_state&gt;.*)" | fields - event _time | eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%Q") | fields - time | eval active_server=if(server_state="active",server,null) | eval active_state=if(server_state="active",server_state,null) | streamstats latest(active_server) as active_server latest(active_state) as active_state | eval server=if(prev="IDLE",active_server,server) | eval server_state=if(prev="IDLE",active_state,server_state) | fields - active_server active_state</LI-CODE> Thu, 29 Oct 2020 10:15:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-events-only-from-active-host/m-p/527050#M148771 ITWhisperer 2020-10-29T10:15:43Z