Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to join my two searches to monitor a combinati...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker9999
Path Finder
06-02-2016
09:02 AM
Hi Splunkers,
We are looking to join 2 searches in getting a single point result.
Currently we have a search which gives UP and Down status. When a server is UP, it turns to green, and if down, it turns RED. Below is the search.
This search takes the latest event and gives us the result (Up/Down) based on status. If we don't have any latest event, by default it is UP.
index=f5 server1 monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" OR F5_MonitorStatus="monitor status enabled" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated
Now current scenario is, we have 2 more statuses added up to field "MonitorStatus"
1. Monitor Status Enabled
2. Monitor Status Disabled.
These statuses occur when server administrators disable any server during a maintenance window.
Scenario 1: If we will filter head 1 events with status "up" and head 1 events with status "Disable", then we need to turn the symbol to RED.
This gives us UP/down status for head 1 event:
index=f5 server1 monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated
This gives head 1 event of Enable/Disable status:
index=f5 server1 monitor status disabled fillnull value="enabled" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status enabled" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated
We need to combine these 2 searches such that it needs to check both search events and it should satisfy below conditions to be GREEN OR RED
COlor: Status1 status 2
Green UP ENABLE
RED UP Disable
RED DOWN ENABLE
RED DOWN DISABLE
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-02-2016
09:44 AM
Try this
iindex=f5 server1 monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ]
| append [search index=f5 server1 monitor status disabled fillnull value="enabled" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status enabled" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] ] | stats sum(status) as severity | rangemap field=severity severe=0-19 low=20-21 default=elevated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-02-2016
09:44 AM
Try this
iindex=f5 server1 monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ]
| append [search index=f5 server1 monitor status disabled fillnull value="enabled" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status enabled" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] ] | stats sum(status) as severity | rangemap field=severity severe=0-19 low=20-21 default=elevated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker9999
Path Finder
06-02-2016
01:52 PM
Nice, This works good .Thank you.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
