Re: Can you help me with my query that uses multip...

jcleary47 · ‎10-03-2018

I have a search to identify when a particular server activates "hardware mode" and doesn't exit within a certain time range.

So basically, after my stats count by search, I've narrowed the results down to servers that don't report both "hardware activated" and "hardware exited" . But now, I am left with multiple servers that have 1 entry and some of these are "hardware exited", and I am trying to exclude those so I only see servers that have a message of "hardware activated" .

So my results might look like this:

server1 HW mode activated
server2 HW mode exited
server3 HW mode exited
server4 HW mode activated
server5 HW mode exited

This is what I'm using for a search to keep out servers that show BOTH messages (and my attempt to also further narrow it down to "HW Mode Activated"

| stats values(message) as message count by server
| where count < 2 AND message="HW mode activated"
| table server, message, count

What am I missing here? It says results not found, even though I do have a server that has only the message "HW mode activated" after reducing the results to those with only 1 count.

VatsalJagani · ‎10-03-2018

Hi @jcleary47,
Can you try below query? Please make sure query before this is extracting message and server field.

| search message="HW mode activated"
| stats count by server
| where count < 2
| eval message="HW mode activated"
| table server, message, count

eval statement is just added in case you want message to be displayed. Hope this helps!!

Sukisen1981 · ‎10-03-2018

remove your where condition and see the value of count against the server and message. See what the count shows

Can you help me with my query that uses multiple where conditions?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor