Hi,
I need to report on the latest events per two fields - remotehost and FS_Name. The FS_Name could be the same on each remotehost. I've tried the following, but it only returns the unique instance of the filesystem. Is there a way to get the last per remotehost and FS_Name?
index=coreops sourcetype=sitescope_monitorstat MonitorType=FileSystem remotehost=lrtp17 OR remotehost=lrtp21 OR remotehost=lrtp22 OR remotehost=lrtp23 OR remotehost=lrtp24 OR remotehost=lrtp25 OR remotehost=lrtp26 FS_Name="/fiis/" OR FS_Name="/dis" earliest=-15m | eval FS_PercUsed=rtrim(Use,"%") |where FS_PercUsed > 50 |stats latest(remotehost), latest(_time) as _time, latest(FS_PercUsed) by remotehost, FS_Name
Hi a212830
To combine remotehost and FS_Name fields to a unique field
Use this request :
index=coreops sourcetype=sitescope_monitorstat MonitorType=FileSystem remotehost=lrtp17 OR remotehost=lrtp21 OR remotehost=lrtp22 OR remotehost=lrtp23 OR remotehost=lrtp24 OR remotehost=lrtp25 OR remotehost=lrtp26 FS_Name="/fiis/" OR FS_Name="/dis" earliest=-15m|eval fiel1=mvzip( remotehost , FS_Name)|eval fiel2=split(fiel1,",")|table fiel2
Then you can add at the end of search code above this
|stats first(fiel2) as remotehostFS_Name
to obtain the latest value of combined field
If you are just wanting the most recent events based on those fields I would use dedup like
... base search ... | dedup remotehost FS_name | table ...
Similar to what j4adam mentioned Splunk returns results in reverse chronological order so the most recent event is seen/returned first. By using dedup it gets that first value (values in this case for both fields) and ignores subsequent events.
Have you tried "stats first(x)" instead of "stats latest(x)" ?
"first(X)" returns the most recent value of field X. I'm pretty new to Splunk, so I apologize if this is not correct.
Thanks, that didn't work. I think the issue is how do I make remotehost and FS_Name a combined unique field, and report on that, but I could be wrong.
To create a combined field you could use
| eval combined_field=remotehost+"_"+FS_Name