Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

State Search Help

RobertRi
Communicator
‎10-06-2010 08:53 AM

Hi

I have a logfile which looks like this:

%Date %Time %Server %Application %State ("State UP" or "State DOWN")

If I try to find the last State for App1, i will use this search

App1 ("State UP" OR "State DOWN") | head 1

this will result in one event with State UP or DOWN

My problem now is that there are 50 Apps and I would like to show a list with all 50 Apps and there current states.

Could you please help me with this search

Thanks Rob

Tags (1)
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎01-29-2011 07:39 PM

Check my blog post regarding maintaining state:

http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/
0 Karma
Reply

sdwilkerson
Contributor
‎10-06-2010 11:12 AM

RobertRi,

I am not sure from your message if your fields are properly extracted or not. If the fields that contain "Application" and "State" are extracted, then you could do a variety of things including:

SEARCH: sourcetype=YourSourcetype | table Application,State SEARCH: sourcetype=YourSourcetype | stats list State by Application

You should replace YourSourcetype with whatever the proper sourcetype is here.

You might want to add something like this at the end of your search | sort Application to alter the order your results are displayed.

Also, depending on how many events are in your index per Application you might need to do a dedup.

If your fields are not currently extracted, you should do that first so that the data is more usable.

Sean

0 Karma
Reply

RobertRi
Communicator
‎10-08-2010 07:44 AM

thank you for your help.

another question is, if it is possible to search within this stats output. I have tried many things without success.

("State UP" OR "State DOWN") | stats first(state) by application | search DOWN

I don't want the latest DOWN event because in the meantime a UP event could be written into the log, so I would try to catch only the latest State event witch have a DOWN value

Do you have a clue ?

Bye
Rob

0 Karma
Reply

RobertRi
Communicator
‎10-06-2010 09:26 AM

I have tried the following which looks good
("State UP" OR "State DOWN") | stats first(state) by application

maybe you have an alternate solution ?

0 Karma
Reply
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...