topic Re: Search doesn't show results if for the same node are present two type of alarms in Splunk Search

Search doesn't show results if for the same node are present two type of alarms

ngerosa — Wed, 12 Jul 2017 07:59:12 GMT

Hello,
I have a query that extract some type of alarms divided by NODE.
These are the columns of the query:

_time ALARM NODE

If for the same NODE is present ALARM = "FAN-IS" and ALARM="SRMISS" I don't want to show the two rows of the two alarms.

Example:

2017-07-11 13:00:25 FAN-IS MILAN
2017-07-11 13:01:42 SRMISS MILAN
2017-07-11 14:10:12 CARD-PROBLEM ROME

I want to show only:

2017-07-11 14:10:12 CARD-PROBLEM ROME

Any ideas?

Thanks!

Re: Search doesn't show results if for the same node are present two type of alarms

somesoni2 — Wed, 12 Jul 2017 14:01:16 GMT

Try this

Your query giving fields _time ALARM NODE
| eventstats values(ALARM) as alarms by NODE
| where NOT (isnotnull(mvfind(alarms,"FAN-IS")) AND isnotnull(mvfind(alarms,"SRMISS")))

Updated answer

 Your query giving fields _time ALARM NODE
  | eventstats values(ALARM) as alarms by NODE
  | eval shouldKeep=if(isnotnull(mvfind(alarms,"FAN-IS")) AND isnotnull(mvfind(alarms,"SRMISS")),"No","Yes")
  | where shouldKeep="Yes"

Re: Search doesn't show results if for the same node are present two type of alarms

ngerosa — Wed, 12 Jul 2017 14:29:22 GMT

Hi somesoni2,
I tried but it didn't work.
The following is the results of the search:

ALARM NODE _time alarms
SRMISS MILAN 2017-06-21 13:08:18.0 FAN-IS
SRMISS

Re: Search doesn't show results if for the same node are present two type of alarms

somesoni2 — Wed, 12 Jul 2017 14:38:29 GMT

Try this

Your query giving fields _time ALARM NODE
 | eventstats values(ALARM) as alarms by NODE
 | where isnull(mvfind(alarms,"FAN-IS")) AND isnull(mvfind(alarms,"SRMISS"))
| fields - alarms

Re: Search doesn't show results if for the same node are present two type of alarms

ngerosa — Wed, 12 Jul 2017 14:53:12 GMT

It doesn't work.
The search include all alarms (FAN-IS and SRMISS)

Re: Search doesn't show results if for the same node are present two type of alarms

somesoni2 — Wed, 12 Jul 2017 14:57:34 GMT

How about this?

Your query giving fields _time ALARM NODE
 | eventstats values(ALARM) as alarms by NODE
 | eval shouldKeep=if(isnotnull(mvfind(alarms,"FAN-IS")) AND isnotnull(mvfind(alarms,"SRMISS")),"No","Yes")
 | where shouldKeep="Yes"

If this doesnt work then remove last where clause and see if the values are coming per your requirement (manual check).

Re: Search doesn't show results if for the same node are present two type of alarms

ngerosa — Wed, 12 Jul 2017 15:22:13 GMT

It works!!
Thank you very much!
If you modify the answer I'll accept!