Splunk Search
Highlighted

Check near id and and results

Path Finder

Hello Splunkers.

I have following sample data with more then 1000 ids .. so what im looking is when radio status down i want include near radio id information also in my alert search

radioid=101 radiostatus=down region=Europe
radioid=102 radiostatus=up region=Europe
radioid=103 radiostatus=down region=Europe
radioid=104 radiostatus=down region=America

For example if radioid 103 was down then i need status of radio id 102 as well 104 status like near range radio id status info also i want to add in search .

Tags (2)
0 Karma
Highlighted

Re: Check near id and and results

SplunkTrust
SplunkTrust

are the 100 events / ids are always at the same time? meaning with the same timestamp?

0 Karma
Highlighted

Re: Check near id and and results

Path Finder

Its not same time stamp.. all are different events..just treat them like normal hosts sending ..

all i need to do see check the neighboring id --id+1 (1 higher number) and id -1(1 lower number) status also need to add to my search...

0 Karma
Highlighted

Re: Check near id and and results

Legend

@Splunk_rocks can you try with the following streamstats commands to get previous and next values for radioid and radiostatus?

|  streamstats last(radioid) as prevId last(radiostatus) as prevStatus current=f window=1
|  reverse
|  streamstats first(radioid) as nextId first(radiostatus) as nextStatus current=f window=1
|  reverse

Then you can apply the logic as per your need. Following is the logic I have applied based on information provided, but adjust as per your actual requirement:

|  eval finalRadioStatus=case(radiostatus="down" AND nextStatus="down" AND nextId=radioid+1,"down",
                              radiostatus="down" AND prevStatus="down" AND prevId=radioid-1,"down",
                              true(),"up")

Following is run anywhere search which generates the data and shows how logic is applied

|  makeresults
|  eval data="radioid=101 radiostatus=down region=Europe;radioid=102 radiostatus=up region=Europe;radioid=103 radiostatus=down region=Europe;radioid=104 radiostatus=down region=America"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  KV
|  streamstats last(radioid) as prevId last(radiostatus) as prevStatus current=f window=1
|  reverse
|  streamstats first(radioid) as nextId first(radiostatus) as nextStatus current=f window=1
|  reverse
|  eval finalRadioStatus=case(radiostatus="down" AND nextStatus="down" AND nextId=radioid+1,"down",
                              radiostatus="down" AND prevStatus="down" AND prevId=radioid-1,"down",
                              true(),"up")
0 Karma
Highlighted

Re: Check near id and and results

Path Finder

Thanks for your inputs much appreciated,

I will check but how i can get the status to be in search for radioid and status info.
Like this

radioid status region nearbyid status nearbyid status
103 down atl 102 up 101 up

0 Karma
Highlighted

Re: Check near id and and results

Legend

You should be able to easily manipulate to get only the required fields from the above run anywhere example which you can plug in to your original query. Also seems like you do not need eval for finalRadioStaus as you are just displaying the current id and nearbyid and status.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.