Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with events data!
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
04-26-2018
09:29 AM
I have this code bellow and i want to just keep with lines of when my Virtual Machine changed Cluster ou VMhost.
Obs.: I cant use "dedup" because i have VMs that was moved to the same cluster twice.![alt text][1]
earliest=03/01/2018:00:00:00 latest=03/31/2018:23:59:00 sourcetype="VCENTER_VMS_INFO"
| eval VM=upper(VM)
| table _time VM VMhost Cluster
| where VM="VMName" | bucket span=1h _time | stats values(VMhost) as VMhost values(Cluster) as Cluster by _time VM |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-26-2018
11:49 AM
Give this a try
earliest=03/01/2018:00:00:00 latest=03/31/2018:23:59:00 sourcetype="VCENTER_VMS_INFO"
| eval VM=upper(VM)
| table _time VM VMhost Cluster
| where VM="DCDEV00027" | bucket span=1h _time | stats values(VMhost) as VMhost values(Cluster) as Cluster by _time VM
| streamstats current=f window=1 values(VMhost) as prevVMhost values(Cluster) as prevCluster by VM
| whehre VMhost!=prevVMhost OR Cluster!=prevCluster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pradeepkumarg
Influencer
04-26-2018
11:49 AM
You can use autoregress to get the value from previous row and compare it with current row value. Something like below
| autoregress VMhost as Old_VMhost | eval Flag=if(VMhost==Old_VMhost ,"N","Y") | where Flag="Y"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-26-2018
11:49 AM
Give this a try
earliest=03/01/2018:00:00:00 latest=03/31/2018:23:59:00 sourcetype="VCENTER_VMS_INFO"
| eval VM=upper(VM)
| table _time VM VMhost Cluster
| where VM="DCDEV00027" | bucket span=1h _time | stats values(VMhost) as VMhost values(Cluster) as Cluster by _time VM
| streamstats current=f window=1 values(VMhost) as prevVMhost values(Cluster) as prevCluster by VM
| whehre VMhost!=prevVMhost OR Cluster!=prevCluster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppatrikfr
Path Finder
04-27-2018
03:28 AM
It works as i was hoping, thanks for your help!!!
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
