Solved: How to join my two searches to monitor a combinati...

splunker9999 · ‎06-02-2016

Hi Splunkers,

We are looking to join 2 searches in getting a single point result.

Currently we have a search which gives UP and Down status. When a server is UP, it turns to green, and if down, it turns RED. Below is the search.

This search takes the latest event and gives us the result (Up/Down) based on status. If we don't have any latest event, by default it is UP.

index=f5 server1  monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" OR F5_MonitorStatus="monitor status enabled" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated

Now current scenario is, we have 2 more statuses added up to field "MonitorStatus"
1. Monitor Status Enabled
2. Monitor Status Disabled.
These statuses occur when server administrators disable any server during a maintenance window.

Scenario 1: If we will filter head 1 events with status "up" and head 1 events with status "Disable", then we need to turn the symbol to RED.

This gives us UP/down status for head 1 event:

index=f5 server1  monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated

This gives head 1 event of Enable/Disable status:

index=f5 server1  monitor status disabled fillnull value="enabled" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status enabled"  ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] | stats values(status) AS severity| rangemap field=severity severe=0-9 low=10-11 default=elevated

We need to combine these 2 searches such that it needs to check both search events and it should satisfy below conditions to be GREEN OR RED

COlor:       Status1       status 2
Green        UP            ENABLE
RED          UP            Disable
RED          DOWN          ENABLE
RED          DOWN          DISABLE

somesoni2 · ‎06-02-2016

Try this

iindex=f5 server1  monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] 
| append [search  index=f5 server1  monitor status disabled fillnull value="enabled" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status enabled"  ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] ] | stats sum(status) as severity  | rangemap field=severity severe=0-19 low=20-21 default=elevated

View solution in original post

somesoni2 · ‎06-02-2016

Try this

iindex=f5 server1  monitor status fillnull value="up" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status up" ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] 
| append [search  index=f5 server1  monitor status disabled fillnull value="enabled" F5_TCPStatus | eval status=if(F5_MonitorStatus="monitor status enabled"  ,10,0)|head 1 |appendpipe [ stats count | eval status=10 | where count==0 | fields - count ] ] | stats sum(status) as severity  | rangemap field=severity severe=0-19 low=20-21 default=elevated

splunker9999 · ‎06-02-2016

Nice, This works good .Thank you.

How to join my two searches to monitor a combination of two status fields for a rangemap condition?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!