topic Re: Summary Field = "OK" or "DOWN" in Splunk Search

Summary Field = "OK" or "DOWN"

tmarlette — Wed, 05 Mar 2014 21:36:47 GMT

I am currently attempting to create a 'summary' type of view within a dashboard stating that this list of services (svc1,svc2,svc3,svc4) are all running on the machine, but is only displaying and either "OK" or "DOWN" Status. If ANY of these services are down, this query should show the "DOWN" status, as this is just a summary panel.

The search I am working with currently is as follows:
sourcetype=WMI:Service (Name= OR Name= OR Name= OR name= OR Name=) | dedup host | eval State = if(State == Running, "OK", "Down") |table _time,host,Name,State| rename Name as "Service Name"

That being said, it gives me the display i'm looking for (1 status of either OK or DOWN per machine) though if 1 of the 5 services are down, the summary 'State' field doesn't change to "DOWN".

I suppose I'm attempting to summarize the running state of 5 services into one instance of either "OK" if all 5 services are running, but even if only 1 of them is not, then the summary field would switch to a "DOWN" state.

Let me know if I don't make sense right now.. i've been looking at these things all day, so I apologize for any minced words. Any help is greatly appreciated!

Re: Summary Field = "OK" or "DOWN"

aelliott — Wed, 05 Mar 2014 21:38:40 GMT

you mean State="Running" right 😉

Re: Summary Field = "OK" or "DOWN"

aelliott — Wed, 05 Mar 2014 21:40:14 GMT

You could order by State Ascending before deduping, then if there are any "down" it will show up top.. That seems like a much easier solution

That will require you to move your "if" statement though before the sort,dedup

| sort State | dedup etc.

Re: Summary Field = "OK" or "DOWN"

tmarlette — Wed, 05 Mar 2014 21:42:41 GMT

Could you show me how that would look?

Re: Summary Field = "OK" or "DOWN"

tmarlette — Wed, 05 Mar 2014 21:43:18 GMT

yessir I do. i'm a little loopy at the moment.

Re: Summary Field = "OK" or "DOWN"

MuS — Thu, 06 Mar 2014 12:26:31 GMT

Hi tmarlette,

based on this use case ... the running state of 5 services into one instance of either "OK" if all 5 services are running, but even if only 1 of them is not, then the summary field would switch to a "DOWN" state. ... you can use a search like this:

 sourcetype=WMI:Service (Name=<svc_1> OR Name=<svc_2> OR Name=<svc_3> OR Name=<svc_4> OR Name=<svc_5>) | dedup host | eventstats count(eval(State="Running")) AS myCount | eval State=if(myCount=="5", "OK", "Down") | table _time,host,Name,State | rename Name as "Service Name"

this will count all the running states and if the count is 5 the State field is OK, if the count is not 5 the State field is Down.

hope this helps ...

cheers, MuS

Re: Summary Field = "OK" or "DOWN"

tmarlette — Thu, 06 Mar 2014 14:49:52 GMT

Nevermind I figured this out. thank you sir!!

Re: Summary Field = "OK" or "DOWN"

tmarlette — Thu, 06 Mar 2014 14:51:07 GMT

This answer works as well, so Thank you very much sir! I can only mark one answer, but I just tested this and it works well.