Splunk Search

How can i search 1 host at a time when index hits a number of hosts.

HelloItsMe76
Explorer

I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB.  It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10.

How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts. 

current logic is: 

index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @HelloItsMe76,

let me understand:

you want to check if there's a group of hosts (at least 2 or more) where there are both the strings, is this correct?

please try something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string
| where dc_host>1 AND dc_string>1
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma

HelloItsMe76
Explorer

Thanks for the reply..

one small update to my original post is that it should read "duration > 2" at the end.

to clarify -  both strings will appear in all the 10 hosts. at the moment my search is comparing strings from different hosts, it should not do that. I understand i can create 10 alerts (1 for each host), but i would like to find a more efficient way and do it in 1 alert.  So i am looking to go through each host in the source / index and evaluate string1 vs string2 on host1, then go to host2 and so on up to host10.  

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @HelloItsMe76,

if you need also to check duration, you have to modify the search, something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string earliest(_time) AS earliest latest(_time) AS latest
| eval duration=latest-earliest
| where dc_host>1 AND dc_string>1 AND duration>2
| mvexpand host
| table host 

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Can you post sample events to understand your needs?
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...