Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use events only from 'active' host?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JykkeDaMan
Path Finder
10-28-2020
11:04 PM
I have 2 different data set:
1. host and prevStatus field with IDLE value
2. server (same values as host) and server state with active/standby values.
I would like to use prevStatus events ONLY from the active server. My base search is something like
index=indx (host=app1 OR host app2) (prevStatus=IDLE OR (server_state=active OR server_state=standby))
How do I mark all the prevStatus events so, that they have the current server_state field on them, so that I can then just filter
prevStatus=IDLE AND host=server AND server_state=active?
I think I need to use streamstats, but I did not quite get it there.
Example data table below:
_time host prevStatus server server_state
2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE
2020-10-09 12:11:13.786 app2 IDLE
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE
2020-10-12 10:57:41.298 app1 IDLE
I think I need something like this:
_time host prevStatus server server_state
2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE app1 active
2020-10-09 12:11:13.786 app2 IDLE app1 active
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE app2 active
2020-10-12 10:57:41.298 app1 IDLE app2 active
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-29-2020
03:15 AM
| makeresults | eval events="2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE
2020-10-09 12:11:13.786 app2 IDLE
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE
2020-10-12 10:57:41.298 app1 IDLE "
| rex field=events max_match=0 "(?<event>.+)[\r\n]*"
| mvexpand event
| fields - events
| rex field=event mode=sed "s/\t/,/g s/,,/,/g"
| rex field=event "(?<time>[^,]+),(?<host>[^,]+),(?<prev>[^,]+),(?<server>[^,]+),(?<server_state>.*)"
| fields - event _time
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%Q")
| fields - time
| eval active_server=if(server_state="active",server,null)
| eval active_state=if(server_state="active",server_state,null)
| streamstats latest(active_server) as active_server latest(active_state) as active_state
| eval server=if(prev="IDLE",active_server,server)
| eval server_state=if(prev="IDLE",active_state,server_state)
| fields - active_server active_state- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-29-2020
03:15 AM
| makeresults | eval events="2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE
2020-10-09 12:11:13.786 app2 IDLE
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE
2020-10-12 10:57:41.298 app1 IDLE "
| rex field=events max_match=0 "(?<event>.+)[\r\n]*"
| mvexpand event
| fields - events
| rex field=event mode=sed "s/\t/,/g s/,,/,/g"
| rex field=event "(?<time>[^,]+),(?<host>[^,]+),(?<prev>[^,]+),(?<server>[^,]+),(?<server_state>.*)"
| fields - event _time
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%Q")
| fields - time
| eval active_server=if(server_state="active",server,null)
| eval active_state=if(server_state="active",server_state,null)
| streamstats latest(active_server) as active_server latest(active_state) as active_state
| eval server=if(prev="IDLE",active_server,server)
| eval server_state=if(prev="IDLE",active_state,server_state)
| fields - active_server active_state
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
