- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can I compare a field from two or more subsear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have three environments test, stage and prod where we run a script that creates a log file that pr. event lists name of environment, application name, buildversion for the app and the cluster it is installed to, like
12.06.2015 10:13:32,935 cellName=test applicationName=useradmin-ear buildVersion=1.7.0 clusterName=InternalCluster
My plan is to create script that creates a table in our documentation wiki showing a table with the environments as columns and applicationnames as rows the buildVersion and then mark the differences.
But then it struck me that I could save me all that work if I am able to create a search in Splunk doing this. That would be
search in indexes test,stage and prod
find all applicationNames
where buildVersion is not equal in all indexes
show result in a table as applicationName,test.buildVersion,stage.buildVersion, prod.buildVersion
I did try to play around with the set command without to much luck so far.
set intersect [search index=stage source="E:\\logs\allApplicationsWithDetails.log" | fields applicationName,buildVersion] [search index=test source="E:\\logs\\allApplicationsWithDetails.log" | fields applicationName,buildVersion]
well aware of the fact that this might be a long shot...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
(index=test OR index=stage OR index=prod) source="E:\\logs\allApplicationsWithDetails.log" | stats dc(buildVersion) AS numVersions list(buildVersion) AS versions list(index) AS indices BY applicationName | where numVersions > 1
The 2 lists map value-to-value (the first value in indices goes with the first value in versions)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
(index=test OR index=stage OR index=prod) source="E:\\logs\allApplicationsWithDetails.log" | stats dc(buildVersion) AS numVersions list(buildVersion) AS versions list(index) AS indices BY applicationName | where numVersions > 1
The 2 lists map value-to-value (the first value in indices goes with the first value in versions)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
That does it...saves me hours of Powershell-scripting.
R.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you still using Powershell? I ditched it after my first use of MobaXterm.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tempting, but as it is said: "Choose your battles..." and when working in a company running Windows all over introducing something like MobaXterm is just for the few, not for the masses, so Powershell is the path of least resistance 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Powershell is for Windows people and MobaXterm is for *nix people. IMHO, if you have *nix people on staff and not providing something like MobaXterm, you hare seriously hamstringing them and cratering their productivity.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
