Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

counting the latest servers

fresned
Path Finder
‎08-16-2012 10:44 AM

Hi,

My log contains entries as shown below:

5:12:08.100 PM | activateServerlocked | tid:2552 | serverID="dev1" State="UP"

5:01:58.055 PM | deactivateNode | tid:2552 | serverID="dev1" State="DOWN"

3:51:53.115 PM | activateServerlocked | tid:2552 | serverID="dev1" State="UP"

3:46:48.092 PM | activateServerlocked | tid:2552 | serverID="dev2" State="UP"

4:56:41.099 AM | deactivateNode | tid:2552 | serverID="dev2" State="DOWN"

4:51:36.056 AM | activateServerlocked | tid:2552 | serverID="dev2" State="UP"

I want to know how many servers are up at the time the query is ran. the issue is that the servers go up and down all the time. For example: now many servers are UP now.
The result should show 2

How can I get these numbers?

Appreciate any help!!

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎08-16-2012 11:25 AM

If you run the search back in time enough to where you're reasonably confident that each server appears at least once, you just run this: 

<your searchterms> | stats first(State) as State by serverID | where State="UP"
0 Karma
Reply

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-16-2012 11:25 AM

So to get this what we'll do is use the first result back in time from the time the search is run. This means that we will get the latest status of each unique server:

source="mylog" | dedup serverID  | stats count as "Number of Servers in State" list(ServerID) as "Server List" by State
0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎08-16-2012 11:23 AM

This should give you the latest event for each serverID and then filter it by UP only and then count it.

sourcetype="yoursourcetype" | stats first(State) as State by serverID | search State=UP | stats count

0 Karma
Reply

fresned
Path Finder
‎08-16-2012 12:01 PM

Thanks this pointed me down the correct path.
this is what worked
sourcetype="mysourcetype"
| stats first(State) as State by serverID
| stats count(eval(State="UP")) AS Count_UP

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...