Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to query a table that shows field value changes using streamstat?

BorisT
Observer
‎07-28-2022 01:43 AM

I am trying to get my query to work correctly and display it in a table format for easy analysis.

The fields I am using are:

Host device_active Device_enabled _time

 

I am trying to track changes from device_active being enabled ("2") to becoming disabled ("1").  I want to display a table that shows which hostnames, within the last 2-4hrs, have changed from enabled to disabled.  If possible add traceability. 

Device_active="1" ----->disabled

Device_active="2" ------>enabled

I tried following some tutorials but could not get it work correctly:

https://splunkonbigdata.com/find-out-the-errors-occurring-2-or-more-times-consecutively/

https://community.splunk.com/t5/Splunk-Search/How-to-count-how-many-times-a-field-value-has-changed-...

_______________________________________

Currently, I have the following query:

index="log-main" sourcetype=monitoring device_active earliest=-4h latest=-2h

| table host, device_active, device_enabled, _time | dedup host

| streamstats current=f window=1 max(device_active) as prev_status

| eval isConsecutive = if (device_active == Previous_error, 1, 0)

| streamstats count as count by device_active reset_before=(isConsecutive==0)
| streamstats count(eval(isConsecutive==0)) as #ofdisconnects

 

Which is producing the following:

Host device_enabled device_active time #ofdisconnects count isconsecutive prev_status

 

This is currently showing "all" hostnames and not filtering out "just" the ones that have changed statuses.  I'd like to display the following information, but filtered down to just the hosts that have "device_active" disabled, but recently were enabled.

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-28-2022 01:52 AM

You are using dedup to remove all duplicate hosts - that seems fundamentally wrong in that if you want to find two events where device_active has different values, it will be impossible, as you've removed all but one event for every host.

You also need to run streamstats using global=f flag and also split "by host", so that it will collect the previous values per host, not for any event.

See what that gives you and let's go from that point.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...