Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

My search for Windows Server status is not Working

vino06
New Member
‎07-06-2017 03:38 AM

Hi,

Good Day!

Hope anyone can help me to correct my search, I'm trying to search for our Windows server whether its UP or DOWN. I already coordinated to our SysAd that the following servers are UP. But on my search it's DOWN, please help me. Kindly see search below and also I'm attaching the result.!

| gentimes start=-1
| eval host="VMICSADR01|VMICSADR02|VMICSADR03|VMICSADR04|VMICSADR05|VMICSADR06|VMICSAPD01|VMICSAPD02|VMICSAPD03|VMICSAPD04|VMICSAPD05|VMICSAPD06"
| table host
| eval Status="DOWN"
| makemv host delim="|"
| mvexpand host
| append [search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host]
| stats list(Status) as Status by host
| rename host AS "Host"
| eval Status=mvindex(Status,-1)
| sort + Status

Tags (1)
Preview file
57 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-06-2017 07:47 AM

Okay, the problem here is that you are first putting records in for all of them saying DOWN, and then adding records that calculate the status, but you are not accurately getting rid of the dups.

I'm going to assume that this part accurately gets your status if there has been a record in the time range in question...

search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host

Now we want to add records only for any missing hosts. This collects what hosts have been found into a mv field, creates records for all the hosts, then kills any hosts that were in the mv field.

| appendpipe 
    [| stats values(host) as foundhosts 
     | eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSADR05 VMICSADR06 VMICSAPD01 VMICSAPD02 VMICSAPD03 VMICSAPD04 VMICSAPD05 VMICSAPD06"
     | makemv host 
     | mvexpand host
     | where host!=foundhosts
     | table host
     | eval Status="DOWN"
     ]

You probably want to add a sort onto the end there to put them in host order, and/or optionally a filter to show only the down records.

| sort 0 host

For the curious, this run-anywhere sample replaces the first section to create test data...

| makeresults 
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05" 
| makemv host
| mvexpand host 
| eval Status="UP"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-06-2017 07:47 AM

Okay, the problem here is that you are first putting records in for all of them saying DOWN, and then adding records that calculate the status, but you are not accurately getting rid of the dups.

I'm going to assume that this part accurately gets your status if there has been a record in the time range in question...

search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host

Now we want to add records only for any missing hosts. This collects what hosts have been found into a mv field, creates records for all the hosts, then kills any hosts that were in the mv field.

| appendpipe 
    [| stats values(host) as foundhosts 
     | eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSADR05 VMICSADR06 VMICSAPD01 VMICSAPD02 VMICSAPD03 VMICSAPD04 VMICSAPD05 VMICSAPD06"
     | makemv host 
     | mvexpand host
     | where host!=foundhosts
     | table host
     | eval Status="DOWN"
     ]

You probably want to add a sort onto the end there to put them in host order, and/or optionally a filter to show only the down records.

| sort 0 host

For the curious, this run-anywhere sample replaces the first section to create test data...

| makeresults 
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05" 
| makemv host
| mvexpand host 
| eval Status="UP"
0 Karma
Reply
Solved! Jump to solution

vino06
New Member
‎07-06-2017 06:22 PM

I tried this and it worked, it's much easier.

| makeresults
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05"
| makemv host
| mvexpand host
| eval Status="UP"

Thanks a lot 🙂

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-06-2017 07:29 AM

Make sure to mark your code as code (for example, using the button marked 101 010) so that he web interface will not alter the code by removing things that look like HTML tags.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...