Solved: Help with stats: identify the latest result for ea...

mydog8it · ‎10-26-2015

I am searching through the router and switch syslog data trying to find spanning tree state changes for a given time period. Once found I want to put the device name, port and STP state in a table. I also want to identify which of the STP states(BLOCKING, LEARNING, FORWARDING) for each Device/interface combination is the Current State. The stats string below identifies all but the current state correctly:

Search command |stats dc(DeviceName) AS "Device Names" values(Port) AS "Ports" dc(Port) AS "Ps" values(STP_State) AS "State" by DeviceName,STP_State 
| eval stats first(STP_State)="Current State"

Desired output would look something like:

somesoni2 · ‎10-26-2015

Try this

Search command |stats dc(DeviceName) AS "Device Names" values(Port) AS "Ports" dc(Port) AS "Ps" values(STP_State) AS "State" latest(STP_State) as "Current State" by DeviceName

View solution in original post

somesoni2 · ‎10-26-2015

Try this

Search command |stats dc(DeviceName) AS "Device Names" values(Port) AS "Ports" dc(Port) AS "Ps" values(STP_State) AS "State" latest(STP_State) as "Current State" by DeviceName

Richfez · ‎10-26-2015

What does the output of the stats command get you (without the eval)? Just a line or two would be fine.

Help with stats: identify the latest result for each set of results

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life