Splunk Search

State Search Help



I have a logfile which looks like this:

%Date %Time %Server %Application %State ("State UP" or "State DOWN")

If I try to find the last State for App1, i will use this search

App1 ("State UP" OR "State DOWN") | head 1

this will result in one event with State UP or DOWN

My problem now is that there are 50 Apps and I would like to show a list with all 50 Apps and there current states.

Could you please help me with this search

Thanks Rob

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Check my blog post regarding maintaining state:

0 Karma



I am not sure from your message if your fields are properly extracted or not. If the fields that contain "Application" and "State" are extracted, then you could do a variety of things including:

SEARCH: sourcetype=YourSourcetype | table Application,State SEARCH: sourcetype=YourSourcetype | stats list State by Application

You should replace YourSourcetype with whatever the proper sourcetype is here.

You might want to add something like this at the end of your search | sort Application to alter the order your results are displayed.

Also, depending on how many events are in your index per Application you might need to do a dedup.

If your fields are not currently extracted, you should do that first so that the data is more usable.


0 Karma


thank you for your help.

another question is, if it is possible to search within this stats output. I have tried many things without success.

("State UP" OR "State DOWN") | stats first(state) by application | search DOWN

I don't want the latest DOWN event because in the meantime a UP event could be written into the log, so I would try to catch only the latest State event witch have a DOWN value

Do you have a clue ?


0 Karma


I have tried the following which looks good
("State UP" OR "State DOWN") | stats first(state) by application

maybe you have an alternate solution ?

0 Karma