Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a search to track the time when service assignment changes between multiple hosts?

thegeekthedude
New Member
‎01-08-2016 01:53 PM

We have a system where, when a service name (a unique service name referenced by service=service_N where N=1 to 20) dies, it gets assigned to another host. To explain further...

We have service=service1 running on host=hostname1 initially. After sometime, because of some reason, service1 dies on hostname1, but a new service comes up on another host with the same name. So after a time T, service=service1 is running on host=hostname2. I am able to get the changing state of the service name from the event logs in Splunk using the search:

service=service1 | stats value(host) by service

and I get this:

service1 | hostname1
         | hostname2
  1. How do I capture the time when the service name assignment changed?
  2. What is the best way to graph this data when service=service* ?

Thanks

0 Karma
Reply

sundareshr
Legend
‎01-08-2016 02:51 PM

Try this

your search criteria | streamstats current=f range(_time) as diff by service | table service, host, diff
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...