Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Matching the fields on 2 hosts

Hawkins
Loves-to-Learn
‎11-09-2023 11:36 AM

Being fairly new to many features in Splunk, I wish to verify that the fields on 2 different hosts match for consistency. Here's a simple search to show the fields I'd like to verify.  What's the best way to go about this?

index="postgresql" sourcetype="postgres" host=FLSM-ZEUS-PSQL-*
| table host, node_name, node_id, active, type
| where NOT isnull(node_name)

 

hostnode_namenode_idactivetype
FLSM-ZEUS-PSQL-02flsm-zeus-psql-022tstandby
FLSM-ZEUS-PSQL-02flsm-zeus-psql-011tprimary
FLSM-ZEUS-PSQL-01flsm-zeus-psql-022tstandby
FLSM-ZEUS-PSQL-01flsm-zeus-psql-011tprimary

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2023 01:26 PM

Which fields are you trying to match?  What exactly does "verify" mean in this context?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hawkik1
Loves-to-Learn Everything
‎11-09-2023 03:54 PM

My goal is to make sure that databases on 2 servers have the same data. I'll be using this search in an alert to monitor the health of a sql cluster. My goal it to create an alert that triggers when  the fields:  node_name, node_id, active or type  on both servers don't match each other.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-09-2023 05:22 PM

Please explain this use case more.  You say you're looking for matches, but the example output contains 4 unique results.  What is expected to match in that?  Please provide a sample match.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hawkik1
Loves-to-Learn Everything
‎11-10-2023 10:04 AM

I have 2 servers FLSM-ZEUS=-PSQL-01, FLSM-ZEUS-PSQL-02. Both servers are part of a SQL cluster. They both have identical records on them. The fields on both servers are node_name, node_id, active, and type. What I wish to do is come up with a search that makes sure the fields on both servers match. Some of them are multivalue fields. The reason for this is, if the cluster isn't communicating correctly, the records may become out of sync. If this happens, I'll create an alert letting me know.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2023 10:13 AM

There you go again using the word "match" without explaining what constitutes a match in this use case.   How would a human know if there is a match or not?  Once we know that then we can try to figure out how to get Splunk to make the same determination.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

hawkik1
Loves-to-Learn Everything
‎11-10-2023 10:57 AM

Match = When the same field on both hosts has the same value. In the example below, both server1 and server2 have a value of "1" in Field_a. That constitutes a match. If Field_a on both hosts has a value of "1" then we have a match.

Server1 - Field_a=1

Server2 - Field_a=1

 

I wish to verify that the values in each of the four fields on server1 match the values in each of the 4 fields on server2.

Server1                Server2

node_name  =  node_name

node_id      =     node_id

active        =        active

type         =          type

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-10-2023 12:00 PM

See if this helps.  It groups results by host, node_name, node_id, active, and type.  If there are 2 in a group then it's a match; otherwise, it isn't.

index="postgresql" sourcetype="postgres" host=FLSM-ZEUS-PSQL-*
| fields host, node_name, node_id, active, type
| where NOT isnull(node_name)
| stats count by host, node_name, node_id, active, type
| eval match = if(count=2, "Yes", "No")
| fields - count
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...