Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can i search 1 host at a time when index hits a number of hosts.

HelloItsMe76
Explorer
‎02-02-2022 10:33 AM

I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB.  It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10.

How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts. 

current logic is: 

index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 11:16 PM

Hi @HelloItsMe76,

let me understand:

you want to check if there's a group of hosts (at least 2 or more) where there are both the strings, is this correct?

please try something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string
| where dc_host>1 AND dc_string>1
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

HelloItsMe76
Explorer
‎02-03-2022 08:37 AM

Thanks for the reply..

one small update to my original post is that it should read "duration > 2" at the end.

to clarify -  both strings will appear in all the 10 hosts. at the moment my search is comparing strings from different hosts, it should not do that. I understand i can create 10 alerts (1 for each host), but i would like to find a more efficient way and do it in 1 alert.  So i am looking to go through each host in the source / index and evaluate string1 vs string2 on host1, then go to host2 and so on up to host10.  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2022 09:15 AM

Hi @HelloItsMe76,

if you need also to check duration, you have to modify the search, something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string earliest(_time) AS earliest latest(_time) AS latest
| eval duration=latest-earliest
| where dc_host>1 AND dc_string>1 AND duration>2
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-02-2022 01:15 PM
Can you post sample events to understand your needs?
0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top