Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use events only from 'active' host?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JykkeDaMan
Path Finder
10-28-2020
11:04 PM
I have 2 different data set:
1. host and prevStatus field with IDLE value
2. server (same values as host) and server state with active/standby values.
I would like to use prevStatus events ONLY from the active server. My base search is something like
index=indx (host=app1 OR host app2) (prevStatus=IDLE OR (server_state=active OR server_state=standby))
How do I mark all the prevStatus events so, that they have the current server_state field on them, so that I can then just filter
prevStatus=IDLE AND host=server AND server_state=active?
I think I need to use streamstats, but I did not quite get it there.
Example data table below:
_time host prevStatus server server_state
2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE
2020-10-09 12:11:13.786 app2 IDLE
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE
2020-10-12 10:57:41.298 app1 IDLE
I think I need something like this:
_time host prevStatus server server_state
2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE app1 active
2020-10-09 12:11:13.786 app2 IDLE app1 active
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE app2 active
2020-10-12 10:57:41.298 app1 IDLE app2 active
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-29-2020
03:15 AM
| makeresults | eval events="2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE
2020-10-09 12:11:13.786 app2 IDLE
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE
2020-10-12 10:57:41.298 app1 IDLE "
| rex field=events max_match=0 "(?<event>.+)[\r\n]*"
| mvexpand event
| fields - events
| rex field=event mode=sed "s/\t/,/g s/,,/,/g"
| rex field=event "(?<time>[^,]+),(?<host>[^,]+),(?<prev>[^,]+),(?<server>[^,]+),(?<server_state>.*)"
| fields - event _time
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%Q")
| fields - time
| eval active_server=if(server_state="active",server,null)
| eval active_state=if(server_state="active",server_state,null)
| streamstats latest(active_server) as active_server latest(active_state) as active_state
| eval server=if(prev="IDLE",active_server,server)
| eval server_state=if(prev="IDLE",active_state,server_state)
| fields - active_server active_state- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-29-2020
03:15 AM
| makeresults | eval events="2020-10-07 11:13:29.283 app1 IDLE
2020-10-07 11:28:09.284 app1 IDLE
2020-10-07 11:51:17.138 app2 IDLE
2020-10-08 01:55:27.816 app1 app2 standby
2020-10-08 01:55:40.591 app2 app1 active
2020-10-08 13:37:01.284 app1 IDLE
2020-10-09 12:11:13.786 app2 IDLE
2020-10-12 09:01:49.119 app1 app2 active
2020-10-12 09:12:30.444 app2 app1 standby
2020-10-12 10:43:59.461 app2 IDLE
2020-10-12 10:57:41.298 app1 IDLE "
| rex field=events max_match=0 "(?<event>.+)[\r\n]*"
| mvexpand event
| fields - events
| rex field=event mode=sed "s/\t/,/g s/,,/,/g"
| rex field=event "(?<time>[^,]+),(?<host>[^,]+),(?<prev>[^,]+),(?<server>[^,]+),(?<server_state>.*)"
| fields - event _time
| eval _time=strptime(time,"%Y-%m-%d %H:%M:%S.%Q")
| fields - time
| eval active_server=if(server_state="active",server,null)
| eval active_state=if(server_state="active",server_state,null)
| streamstats latest(active_server) as active_server latest(active_state) as active_state
| eval server=if(prev="IDLE",active_server,server)
| eval server_state=if(prev="IDLE",active_state,server_state)
| fields - active_server active_state
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
