Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to query a table that shows field value changes using streamstat?

BorisT
Observer
‎07-28-2022 01:43 AM

I am trying to get my query to work correctly and display it in a table format for easy analysis.

The fields I am using are:

Host device_active Device_enabled _time

 

I am trying to track changes from device_active being enabled ("2") to becoming disabled ("1").  I want to display a table that shows which hostnames, within the last 2-4hrs, have changed from enabled to disabled.  If possible add traceability. 

Device_active="1" ----->disabled

Device_active="2" ------>enabled

I tried following some tutorials but could not get it work correctly:

https://splunkonbigdata.com/find-out-the-errors-occurring-2-or-more-times-consecutively/

https://community.splunk.com/t5/Splunk-Search/How-to-count-how-many-times-a-field-value-has-changed-...

_______________________________________

Currently, I have the following query:

index="log-main" sourcetype=monitoring device_active earliest=-4h latest=-2h

| table host, device_active, device_enabled, _time | dedup host

| streamstats current=f window=1 max(device_active) as prev_status

| eval isConsecutive = if (device_active == Previous_error, 1, 0)

| streamstats count as count by device_active reset_before=(isConsecutive==0)
| streamstats count(eval(isConsecutive==0)) as #ofdisconnects

 

Which is producing the following:

Host device_enabled device_active time #ofdisconnects count isconsecutive prev_status

 

This is currently showing "all" hostnames and not filtering out "just" the ones that have changed statuses.  I'd like to display the following information, but filtered down to just the hosts that have "device_active" disabled, but recently were enabled.

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-28-2022 01:52 AM

You are using dedup to remove all duplicate hosts - that seems fundamentally wrong in that if you want to find two events where device_active has different values, it will be impossible, as you've removed all but one event for every host.

You also need to run streamstats using global=f flag and also split "by host", so that it will collect the previous values per host, not for any event.

See what that gives you and let's go from that point.

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...