Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Query for processes status from multiple hosts

splunker_ind
Loves-to-Learn
‎11-18-2021 01:51 PM

Hi Splunkers, 

I have a 2 hosts i.e server1 & server2.

Each host running with multiple processes. Lets say the processes are process1 & process2.

I want to create a dashboard to show the latest processes status whether it is Running or Not Running in each host

 

index=os host IN (server1 server2)  ARGS=*process1* OR ARGS=*process2*
| eval process1_status=if(like(ARGS,"%process1%"),"Running","Not Running")
| eval process2_status=if(like(ARGS,"%process2%"),"Running","Not Running")
| stats latest(process1_status)  latest(process2_status)  by host
| fillnull value=NULL

But this query is not giving correct results.

Each event will have either ARGS field as process1 or ARGS field as process2.

 

 

Labels (3)
Labels
0 Karma
Reply

splunker_ind
Loves-to-Learn
‎11-18-2021 02:41 PM

I used join command which works fine but it takes time.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top