Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with advanced search for matching entry?

RobertRi
Communicator
‎02-02-2023 10:47 PM

Hello Community!

I'm searching for a solution to highlight the "HostC", which has an AppC failure and no further log entry, that AppC is started again.
How can I do this, regardless on which host this happens?

I saw a comment, to create events for "app failure" and "app started" and then make a transaction,
but is there an other way too?

SampleData:

1.1.1970 08:00 HostA -
1.1.1970 08:00 HostB AppB=failure
1.1.1970 08:00 HostC AppC=failure
1.1.1970 09:00 HostA AppA=started
1.1.1970 09:00 HostB AppB=started
1.1.1970 09:00 HostC -

Thanks for your help
Rob

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-03-2023 01:13 AM

Several possible approaches.  But the simplest seems to be to just look for latest app message.  You didn't illustrate what you mean by "highlight".  So, I have to speculate that you just need the name of host and application which had this kind of orphan.  But the biggest problem is that you didn't say whether HostA, B, C are values of a field (like host?), and whether AppA, B, C are values of a field (like application?), and if keywords like failure and started are values of a field (like status?).  Assuming none of these fields (except _time) is available, you will have to extract them first.

| rex field=data "^(?<timestamp>\S+\s+\S+)\s+(?<host>\S+)\s+(?<info>\S+)"
| rex field=info "(?<app>[^=]+)=(?<status>.+)"
| eval _time = strptime(timestamp, "%d.%m.%Y %H:%M")
``` extraction above ```
| stats latest(status) as last_status by host
| where last_status == "failure"

Is this what you need?

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎02-03-2023 01:13 AM

Several possible approaches.  But the simplest seems to be to just look for latest app message.  You didn't illustrate what you mean by "highlight".  So, I have to speculate that you just need the name of host and application which had this kind of orphan.  But the biggest problem is that you didn't say whether HostA, B, C are values of a field (like host?), and whether AppA, B, C are values of a field (like application?), and if keywords like failure and started are values of a field (like status?).  Assuming none of these fields (except _time) is available, you will have to extract them first.

| rex field=data "^(?<timestamp>\S+\s+\S+)\s+(?<host>\S+)\s+(?<info>\S+)"
| rex field=info "(?<app>[^=]+)=(?<status>.+)"
| eval _time = strptime(timestamp, "%d.%m.%Y %H:%M")
``` extraction above ```
| stats latest(status) as last_status by host
| where last_status == "failure"

Is this what you need?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

RobertRi
Communicator
‎02-03-2023 02:44 AM

Thank you! 

This was the solution! 👍

| stats latest

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...