Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i search 1 host at a time when index hits a number of hosts.

HelloItsMe76
Explorer
‎02-02-2022 10:33 AM

I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB.  It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10.

How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts. 

current logic is: 

index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 11:16 PM

Hi @HelloItsMe76,

let me understand:

you want to check if there's a group of hosts (at least 2 or more) where there are both the strings, is this correct?

please try something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string
| where dc_host>1 AND dc_string>1
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

HelloItsMe76
Explorer
‎02-03-2022 08:37 AM

Thanks for the reply..

one small update to my original post is that it should read "duration > 2" at the end.

to clarify -  both strings will appear in all the 10 hosts. at the moment my search is comparing strings from different hosts, it should not do that. I understand i can create 10 alerts (1 for each host), but i would like to find a more efficient way and do it in 1 alert.  So i am looking to go through each host in the source / index and evaluate string1 vs string2 on host1, then go to host2 and so on up to host10.  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2022 09:15 AM

Hi @HelloItsMe76,

if you need also to check duration, you have to modify the search, something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string earliest(_time) AS earliest latest(_time) AS latest
| eval duration=latest-earliest
| where dc_host>1 AND dc_string>1 AND duration>2
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-02-2022 01:15 PM
Can you post sample events to understand your needs?
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...