Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: My search for Windows Server status is not Wor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Good Day!
Hope anyone can help me to correct my search, I'm trying to search for our Windows server whether its UP or DOWN. I already coordinated to our SysAd that the following servers are UP. But on my search it's DOWN, please help me. Kindly see search below and also I'm attaching the result.!
| gentimes start=-1
| eval host="VMICSADR01|VMICSADR02|VMICSADR03|VMICSADR04|VMICSADR05|VMICSADR06|VMICSAPD01|VMICSAPD02|VMICSAPD03|VMICSAPD04|VMICSAPD05|VMICSAPD06"
| table host
| eval Status="DOWN"
| makemv host delim="|"
| mvexpand host
| append [search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host]
| stats list(Status) as Status by host
| rename host AS "Host"
| eval Status=mvindex(Status,-1)
| sort + Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the problem here is that you are first putting records in for all of them saying DOWN, and then adding records that calculate the status, but you are not accurately getting rid of the dups.
I'm going to assume that this part accurately gets your status if there has been a record in the time range in question...
search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host
Now we want to add records only for any missing hosts. This collects what hosts have been found into a mv field, creates records for all the hosts, then kills any hosts that were in the mv field.
| appendpipe
[| stats values(host) as foundhosts
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSADR05 VMICSADR06 VMICSAPD01 VMICSAPD02 VMICSAPD03 VMICSAPD04 VMICSAPD05 VMICSAPD06"
| makemv host
| mvexpand host
| where host!=foundhosts
| table host
| eval Status="DOWN"
]
You probably want to add a sort onto the end there to put them in host order, and/or optionally a filter to show only the down records.
| sort 0 host
For the curious, this run-anywhere sample replaces the first section to create test data...
| makeresults
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05"
| makemv host
| mvexpand host
| eval Status="UP"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the problem here is that you are first putting records in for all of them saying DOWN, and then adding records that calculate the status, but you are not accurately getting rid of the dups.
I'm going to assume that this part accurately gets your status if there has been a record in the time range in question...
search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host
Now we want to add records only for any missing hosts. This collects what hosts have been found into a mv field, creates records for all the hosts, then kills any hosts that were in the mv field.
| appendpipe
[| stats values(host) as foundhosts
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSADR05 VMICSADR06 VMICSAPD01 VMICSAPD02 VMICSAPD03 VMICSAPD04 VMICSAPD05 VMICSAPD06"
| makemv host
| mvexpand host
| where host!=foundhosts
| table host
| eval Status="DOWN"
]
You probably want to add a sort onto the end there to put them in host order, and/or optionally a filter to show only the down records.
| sort 0 host
For the curious, this run-anywhere sample replaces the first section to create test data...
| makeresults
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05"
| makemv host
| mvexpand host
| eval Status="UP"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this and it worked, it's much easier.
| makeresults
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05"
| makemv host
| mvexpand host
| eval Status="UP"
Thanks a lot 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure to mark your code as code (for example, using the button marked 101 010) so that he web interface will not alter the code by removing things that look like HTML tags.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
