https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65033#M16071 <P>thank you for your help.</P> <P>another question is, if it is possible to search within this stats output. I have tried many things without success.</P> <P>("State UP" OR "State DOWN") | stats first(state) by application | search DOWN</P> <P>I don't want the latest DOWN event because in the meantime a UP event could be written into the log, so I would try to catch only the latest State event witch have a DOWN value</P> <P>Do you have a clue ?</P> <P>Bye<BR /> Rob</P> Fri, 08 Oct 2010 14:44:38 GMT RobertRi 2010-10-08T14:44:38Z https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65030#M16068 <P>Hi</P> <P>I have a logfile which looks like this:</P> <P>%Date %Time %Server %Application %State ("State UP" or "State DOWN")</P> <P>If I try to find the last State for App1, i will use this search</P> <P>App1 ("State UP" OR "State DOWN") | head 1</P> <P>this will result in one event with State UP or DOWN</P> <P>My problem now is that there are 50 Apps and I would like to show a list with all 50 Apps and there current states.</P> <P>Could you please help me with this search</P> <P>Thanks Rob</P> Wed, 06 Oct 2010 15:53:25 GMT https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65030#M16068 RobertRi 2010-10-06T15:53:25Z https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65031#M16069 <P>I have tried the following which looks good<BR /> ("State UP" OR "State DOWN") | stats first(state) by application</P> <P>maybe you have an alternate solution ?</P> Wed, 06 Oct 2010 16:26:31 GMT https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65031#M16069 RobertRi 2010-10-06T16:26:31Z https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65032#M16070 <P>RobertRi, </P><P> I am not sure from your message if your fields are properly extracted or not. If the fields that contain "Application" and "State" are extracted, then you could do a variety of things including:</P> <P>SEARCH: sourcetype=YourSourcetype | table Application,State SEARCH: sourcetype=YourSourcetype | stats list State by Application</P> <P>You should replace YourSourcetype with whatever the proper sourcetype is here.</P> <P>You might want to add something like this at the end of your search <I>| sort Application</I> to alter the order your results are displayed.</P> <P>Also, depending on how many events are in your index per Application you might need to do a dedup.</P> <P>If your fields are not currently extracted, you should do that first so that the data is more usable. </P><P>Sean</P> Wed, 06 Oct 2010 18:12:47 GMT https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65032#M16070 sdwilkerson 2010-10-06T18:12:47Z https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65033#M16071 <P>thank you for your help.</P> <P>another question is, if it is possible to search within this stats output. I have tried many things without success.</P> <P>("State UP" OR "State DOWN") | stats first(state) by application | search DOWN</P> <P>I don't want the latest DOWN event because in the meantime a UP event could be written into the log, so I would try to catch only the latest State event witch have a DOWN value</P> <P>Do you have a clue ?</P> <P>Bye<BR /> Rob</P> Fri, 08 Oct 2010 14:44:38 GMT https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65033#M16071 RobertRi 2010-10-08T14:44:38Z https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65034#M16072 <P>Check my blog post regarding maintaining state:</P> <PRE><CODE><A href="http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/" target="test_blank">http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/</A> </CODE></PRE> Sun, 30 Jan 2011 03:39:32 GMT https://community.splunk.com/t5/Splunk-Search/State-Search-Help/m-p/65034#M16072 araitz 2011-01-30T03:39:32Z