Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i search 1 host at a time when index hits a number of hosts.

HelloItsMe76
Explorer
‎02-02-2022 10:33 AM

I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB.  It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10.

How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts. 

current logic is: 

index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-02-2022 11:16 PM

Hi @HelloItsMe76,

let me understand:

you want to check if there's a group of hosts (at least 2 or more) where there are both the strings, is this correct?

please try something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string
| where dc_host>1 AND dc_string>1
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

HelloItsMe76
Explorer
‎02-03-2022 08:37 AM

Thanks for the reply..

one small update to my original post is that it should read "duration > 2" at the end.

to clarify -  both strings will appear in all the 10 hosts. at the moment my search is comparing strings from different hosts, it should not do that. I understand i can create 10 alerts (1 for each host), but i would like to find a more efficient way and do it in 1 alert.  So i am looking to go through each host in the source / index and evaluate string1 vs string2 on host1, then go to host2 and so on up to host10.  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2022 09:15 AM

Hi @HelloItsMe76,

if you need also to check duration, you have to modify the search, something like this:

index="abc" "string1 OR string2" 
| eval string=if(searchmatch("string1"),"String1","String2")
| stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string earliest(_time) AS earliest latest(_time) AS latest
| eval duration=latest-earliest
| where dc_host>1 AND dc_string>1 AND duration>2
| mvexpand host
| table host

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-02-2022 01:15 PM
Can you post sample events to understand your needs?
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...