Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help with events data!
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
04-26-2018
09:29 AM
I have this code bellow and i want to just keep with lines of when my Virtual Machine changed Cluster ou VMhost.
Obs.: I cant use "dedup" because i have VMs that was moved to the same cluster twice.![alt text][1]
earliest=03/01/2018:00:00:00 latest=03/31/2018:23:59:00 sourcetype="VCENTER_VMS_INFO"
| eval VM=upper(VM)
| table _time VM VMhost Cluster
| where VM="VMName" | bucket span=1h _time | stats values(VMhost) as VMhost values(Cluster) as Cluster by _time VM |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-26-2018
11:49 AM
Give this a try
earliest=03/01/2018:00:00:00 latest=03/31/2018:23:59:00 sourcetype="VCENTER_VMS_INFO"
| eval VM=upper(VM)
| table _time VM VMhost Cluster
| where VM="DCDEV00027" | bucket span=1h _time | stats values(VMhost) as VMhost values(Cluster) as Cluster by _time VM
| streamstats current=f window=1 values(VMhost) as prevVMhost values(Cluster) as prevCluster by VM
| whehre VMhost!=prevVMhost OR Cluster!=prevCluster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pradeepkumarg
Influencer
04-26-2018
11:49 AM
You can use autoregress to get the value from previous row and compare it with current row value. Something like below
| autoregress VMhost as Old_VMhost | eval Flag=if(VMhost==Old_VMhost ,"N","Y") | where Flag="Y"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-26-2018
11:49 AM
Give this a try
earliest=03/01/2018:00:00:00 latest=03/31/2018:23:59:00 sourcetype="VCENTER_VMS_INFO"
| eval VM=upper(VM)
| table _time VM VMhost Cluster
| where VM="DCDEV00027" | bucket span=1h _time | stats values(VMhost) as VMhost values(Cluster) as Cluster by _time VM
| streamstats current=f window=1 values(VMhost) as prevVMhost values(Cluster) as prevCluster by VM
| whehre VMhost!=prevVMhost OR Cluster!=prevCluster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
04-27-2018
03:28 AM
It works as i was hoping, thanks for your help!!!
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
