Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare field names?

gunturu_nagasri
Explorer
‎01-04-2016 10:33 PM

p.123.label - hostname 1
p.123.status - status of the server 1

p.234.label - hostname 2
p.234.status - status of the server2

... n servers list

the above mentioned 123 and 234 are dynamic.

How can the field names be compared? I need the output in the table format like each hostname and its status details respectively? Is it possible?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmallorquin
Builder
‎01-05-2016 01:47 AM

Hi,

Just playing 🙂

| rest splunk_server=* /services/shcluster/status |fields peers*label |transpose |table column "row 1" |rename "row 1" as label
|append [ rest splunk_server=* /services/shcluster/status | fields peers*status |transpose |table column "row 1" |rename "row 1" as status]
|rex field=column "[^\.]+.(?<id>[^\.]+)"
|stats last(label) as label last(status) as status by id

Hope i help you

View solution in original post

Reply
Solved! Jump to solution
Solution

jmallorquin
Builder
‎01-05-2016 01:47 AM

Hi,

Just playing 🙂

| rest splunk_server=* /services/shcluster/status |fields peers*label |transpose |table column "row 1" |rename "row 1" as label
|append [ rest splunk_server=* /services/shcluster/status | fields peers*status |transpose |table column "row 1" |rename "row 1" as status]
|rex field=column "[^\.]+.(?<id>[^\.]+)"
|stats last(label) as label last(status) as status by id

Hope i help you

Reply
Solved! Jump to solution

gunturu_nagasri
Explorer
‎01-05-2016 06:00 AM

Thanks a lot, This helped me , but i have a question i dont want results to be displayed by id. I want the results to be displayed by comparing the id value from the first search matching the id value with the second search.

Eg : Id of host = 123, Id of status = 123 then its respective Hostname and status should be displayed in tabular format.

i.e Search results of two searches should be combined by comparing the regex value.

0 Karma
Reply
Solved! Jump to solution

jmallorquin
Builder
‎01-05-2016 07:23 AM

Hi,

But this is what it does... if you use this part:

 | rest splunk_server=* /services/shcluster/status |fields peers*label |transpose |table column "row 1" |rename "row 1" as label
 |append [ rest splunk_server=* /services/shcluster/status | fields peers*status |transpose |table column "row 1" |rename "row 1" as status]

You will see that add the to tables in one.

Then I extract the ID without .label and .status

|rex field=column "[^\.]+.(?<id>[^\.]+)"

And then with the stats I "join" both in one.

 |stats last(label) as label last(status) as status by id
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-04-2016 10:39 PM

are these single line or multi-line?
If its multi-line, is there a common field in those events?
If its multi-line, are they coming in the mentioned order ie; hostname 1, status 1 , hostname2,status etc?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

gunturu_nagasri
Explorer
‎01-04-2016 11:04 PM

  1. I am unable to attach the screen shot here from my desktop. It is poping for a Image url. Can i know how can i directy attach the screenshot without any links.

  2. It is a single line. It is not the feild value . It is the feild name. And the feild name has a comman begining and ending and in between nos are dynamic.

Query :

| rest splunk_server=* /services/shcluster/status | fields peers*label, peers*status

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...