Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can i search 1 host at a time when index hits a number of hosts.

HelloItsMe76
Explorer
‎02-02-2022 10:33 AM

I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB.  It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10.

How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts. 

current logic is: 

index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 11:16 PM

Hi @HelloItsMe76,

let me understand:

you want to check if there's a group of hosts (at least 2 or more) where there are both the strings, is this correct?

please try something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string
| where dc_host>1 AND dc_string>1
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

HelloItsMe76
Explorer
‎02-03-2022 08:37 AM

Thanks for the reply..

one small update to my original post is that it should read "duration > 2" at the end.

to clarify -  both strings will appear in all the 10 hosts. at the moment my search is comparing strings from different hosts, it should not do that. I understand i can create 10 alerts (1 for each host), but i would like to find a more efficient way and do it in 1 alert.  So i am looking to go through each host in the source / index and evaluate string1 vs string2 on host1, then go to host2 and so on up to host10.  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2022 09:15 AM

Hi @HelloItsMe76,

if you need also to check duration, you have to modify the search, something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string earliest(_time) AS earliest latest(_time) AS latest
| eval duration=latest-earliest
| where dc_host>1 AND dc_string>1 AND duration>2
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-02-2022 01:15 PM
Can you post sample events to understand your needs?
0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top