Splunk Search

Help with search and stats

a212830
Champion

Hi,

I need to report on the latest events per two fields - remotehost and FS_Name. The FS_Name could be the same on each remotehost. I've tried the following, but it only returns the unique instance of the filesystem. Is there a way to get the last per remotehost and FS_Name?

index=coreops sourcetype=sitescope_monitorstat MonitorType=FileSystem remotehost=lrtp17 OR remotehost=lrtp21 OR remotehost=lrtp22 OR remotehost=lrtp23 OR remotehost=lrtp24 OR remotehost=lrtp25 OR remotehost=lrtp26 FS_Name="/fiis/" OR FS_Name="/dis" earliest=-15m | eval FS_PercUsed=rtrim(Use,"%") |where FS_PercUsed > 50 |stats latest(remotehost), latest(_time) as _time, latest(FS_PercUsed) by remotehost, FS_Name

Tags (2)
0 Karma

chimell
Motivator

Hi a212830

To combine remotehost and FS_Name fields to a unique field
Use this request :

index=coreops sourcetype=sitescope_monitorstat MonitorType=FileSystem remotehost=lrtp17 OR remotehost=lrtp21 OR remotehost=lrtp22 OR remotehost=lrtp23 OR remotehost=lrtp24 OR remotehost=lrtp25 OR remotehost=lrtp26 FS_Name="/fiis/" OR FS_Name="/dis" earliest=-15m|eval fiel1=mvzip( remotehost , FS_Name)|eval fiel2=split(fiel1,",")|table fiel2

Then you can add at the end of search code above this

|stats first(fiel2)  as remotehostFS_Name

to obtain the latest value of combined field

0 Karma

Runals
Motivator

If you are just wanting the most recent events based on those fields I would use dedup like

... base search ... | dedup remotehost FS_name | table ...

Similar to what j4adam mentioned Splunk returns results in reverse chronological order so the most recent event is seen/returned first. By using dedup it gets that first value (values in this case for both fields) and ignores subsequent events.

0 Karma

j4adam
Communicator

Have you tried "stats first(x)" instead of "stats latest(x)" ?

"first(X)" returns the most recent value of field X. I'm pretty new to Splunk, so I apologize if this is not correct.

0 Karma

a212830
Champion

Thanks, that didn't work. I think the issue is how do I make remotehost and FS_Name a combined unique field, and report on that, but I could be wrong.

0 Karma

HeinzWaescher
Motivator

To create a combined field you could use

| eval combined_field=remotehost+"_"+FS_Name
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...