Good Morning! I rarely get to dabble in SPL, and as such, some (probably simple) things stump me. That is what brought me here today. I have a scenario in which I need to pull SYSLOG events from a...
See more...
Good Morning! I rarely get to dabble in SPL, and as such, some (probably simple) things stump me. That is what brought me here today. I have a scenario in which I need to pull SYSLOG events from a series of machines that all report the field names. One of those machines is the authoritative source of values, which all of the other systems should have. As an example, I have 3 machines... M1, M2, M3, and each machine reports three field/value pairs... sync-timestamp, version-number, machine-name. I need to compare the sync-timestamp of M1 with the sync-timestamp of the other two machines. My idea is to assign the "sync-timestamp value WHERE computer-name=M1" to a variable by which to compare the other two machines' values. I intend to use this report to ultimately create an alert, so we know if machines are not syncing properly. I just cannot figure out the syntax to make this happen. Can anyone provide some guidance on this? Thank you in advance!