Splunk Search

Need to add the lookup for existing query and show the status

Veeru
Path Finder

I have the stores and I want to check the status of store whether it is up or down
 i want to show the status with help of  processes 
 Processes.csv lookup 

processesServicesDeviceType
axAmazonxcontroller
bybuyregister

 I wrote a query but it is not showing the status up or down
|mstats latest_time(value) as _time where (host="*" OR host="t*") index=a_store_metrics And metric_name="process.time" by host process
|search process in ("ax","by")
|eval host=lower(host)
|rex field=host "(?<Device>["\.]+)"
|rex field=Device "(?<store>\w{7})"

|search [|inputlookup  store_device where store="a01"
|field Device
|format]
|lookup store_device Device OUTPUT Store as storetype DeviceType
|where (DeviceType="Controller" OR  DeviceType="Register") AND store="a01"
|lookup process.csv  process OUTPUT Services
|stats latest(_time) as time by instance store
|eval status=if(time!="".,"UP","DOWN")
|fields store instance service status
 I am getting output

storeinstanceservicestatus
a01axamazon xUP
a01bybuyUP

 

If i off the store it is not showing down it is showing only one instance
suppose if I stop the services for by it should show status down in by column but it is not showing entire column as shown below.

storeinstanceservicestatus
a01axamazon xUP
    


Please help me  out

Thank you                                                                          

Labels (2)
Tags (1)
0 Karma

Veeru
Path Finder

@ITWhisperer 
when time is not equal to null i kept as up if null it will show down

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If  you want to check for null use isnull() or isnotnull()

| eval status=if(isnotnull(_time),"UP","DOWN")

However, this will probably not get you what you want as _time will probably not be null, it will just be the latest value and therefore the status will always be "UP"

Veeru
Path Finder

@ITWhisperer 

Thanks for help. But it is showing only up when something goes done i am unable to show which particular services are down. It is  disappearing in the results 

I want to show when the particular service down or store is down we need to show that    in table 

but i am getting no results found 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which events tell you that the service or store is down?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What are you trying to achieve with this line?

|eval status=if(time!="".,"UP","DOWN")

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...