Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search to find offline event that does not have a corresponding succeeding online event

dglass0215
Path Finder
‎11-08-2019 09:25 AM

Hello,

I have a sourcetype which has data telling me if something goes offline and then when it comes online.

I am trying to write a search that only shows the most recent offline event where a newer online event has not yet occurred.

Any help is appreciated!

0 Karma
Reply

woodcock
Esteemed Legend
‎11-16-2019 02:46 PM

Like this:

... | streamstats count(eval(action="online")) AS sessionID BY host and other fields here
| stats count dc(action) AS action_count values(action) AS actions BY sessionID hsot and other fields here
| where action_count == 1
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-09-2019 03:01 AM

Hi dglass0215,
a sample of yur data could be useful, but anyway you should select the conditions, e.g. having:

  • an index called my_index,
  • a username field called user,
  • an host name called host,
  • a field called status that contains different strings for offline and online ("go offline" and "go online");

you could run something like this, if it's relevant the duration of offline (e.g. online must come back at most in 5 minutes):

index=my_index (status="go offline" OR status="go online")
| transaction user host startswith="go offline" endswith="go online" keeporphans=true maxspan=300s
| search NOT status="go online"
| ...

But it's a slow search (transaction is a very slow command).

If instead it isn't relevant the time between offline and online, you could run something like this

index=my_index (status="go offline" OR status="go online")
| stats dc(status) AS count values(status) AS status BY user host
| where count=1

that's quicker.

Ciao.
Giuseppe

0 Karma
Reply

dglass0215
Path Finder
‎11-11-2019 09:48 AM

Thanks Giuseppe this is very helpful! I do realize a sample of my data would useful, it is just tough to do so since I am in a disconnected environment. Basically it is as simple as Host, TimeStamp, onlineStatus. I do not have a username field, nor do I (at least at this moment in time) care about the duration of offline. I just want to know if an offline has occurred without a corresponding online. Your second query above looks like it would almost do what I need! However couldn't that query wind up showing an online event depending on how the timeframe of the query was setup?

Thanks Again!

0 Karma
Reply

Sukisen1981
Champion
‎11-08-2019 10:52 PM

hi can you please provide some sample events and desired output?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...