Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tdotcspot
tdotcspot
New Member
Member since:
12-12-2018
06-05-2020
Community Statistics
| Posts | 3 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-12-2018 |
Activity Feed
- Posted Re: Search From Two Indexes. Applying A Name Referenced By Id On Both Searches. on Splunk Search. 12-17-2018 11:36 AM
- Posted Search From Two Indexes. Applying A Name Referenced By Id On Both Searches. on Splunk Search. 12-17-2018 11:05 AM
- Tagged Search From Two Indexes. Applying A Name Referenced By Id On Both Searches. on Splunk Search. 12-17-2018 11:05 AM
- Tagged Search From Two Indexes. Applying A Name Referenced By Id On Both Searches. on Splunk Search. 12-17-2018 11:05 AM
- Tagged Search From Two Indexes. Applying A Name Referenced By Id On Both Searches. on Splunk Search. 12-17-2018 11:05 AM
- Tagged Search From Two Indexes. Applying A Name Referenced By Id On Both Searches. on Splunk Search. 12-17-2018 11:05 AM
- Posted Comparing Two Searches (WIth Different Search Patterns). Find Difference From First Search on All Apps and Add-ons. 12-12-2018 11:51 AM
- Tagged Comparing Two Searches (WIth Different Search Patterns). Find Difference From First Search on All Apps and Add-ons. 12-12-2018 11:51 AM
- Tagged Comparing Two Searches (WIth Different Search Patterns). Find Difference From First Search on All Apps and Add-ons. 12-12-2018 11:51 AM
- Tagged Comparing Two Searches (WIth Different Search Patterns). Find Difference From First Search on All Apps and Add-ons. 12-12-2018 11:51 AM
- Tagged Comparing Two Searches (WIth Different Search Patterns). Find Difference From First Search on All Apps and Add-ons. 12-12-2018 11:51 AM
Topics I've Started
12-17-2018
11:36 AM
Just to add I did accomplish this using a "join", but I am unsure if this is the best way to go based on performance.
index="cloudwatch" metric_name=CPUUtilization
| rex field=metric_dimensions "^(?<instanceId>(\bInstanceId=.*\b))"
| eval instanceId = trim(replace(instanceId, "InstanceId=\[", ""))
| join instanceId
[ search index="description" | spath output="instanceId" id | search id="i-*" | spath output="instanceName" "tags.Name" | search "tags.Name"="*" | dedup instanceId]
| timechart eval(round(avg(Average),2)) by instanceName where max in top10
... View more
12-17-2018
11:05 AM
Hi there,
Hoping someone could help me out. I'm currently using the AWS Add-On For Splunk and I wanted to expand the EC2 CPU Usage template that was provided (my 2nd search example below) . I've adjusted it a bit to provide me a list of instance ids in a timechart format. This works great, however I wanted to try to cross-reference it with another search that could give me the "name" tag of the EC2 using another index rather than the id.
1st search - This search gives me a list of "instanceids" and "names"
i-123456789, server1
i-234567890, server 2
index="description" | spath output="dInstanceId" id | search id="i-*" | spath output="dInstanceName" "tags.Name" | search "tags.Name"="*"
|dedup dInstanceName
|table dInstanceId, dInstanceName
2nd search - This search gives me the CPU Utilization metric.
i-123456789
2018-12-16 11:00:00 0.50
index="cloudwatch" metric_name=CPUUtilization
| rex field=metric_dimensions "^(?<cwInstanceId>(\bInstanceId=.*\b))"
| eval cwInstanceId = trim(replace(cwInstanceId, "InstanceId=\[", ""))
| timechart eval(round(avg(Average),2)) by cwInstanceId where max in top10
My end goal is to have it reference the 1st search and provide a:
server1
2018-12-16 11:00:00 0.50
I attempted trying to cross-compare with an appended search without any luck. Would a join be used in this scenario? Or should I attempt to send the first search to a lookup table then try to input that data into the 2nd search?
Any help would be appreciated!
Thanks,
T
... View more
12-12-2018
11:51 AM
Hi there,
I'm having a bit of trouble trying to accomplish this and I'm hoping someone can help. I'm using the AWS add on in Splunk (which grabs CloudTrail logs) and I'm trying to create a search that shows how many EC2 instances are currently active for the day in our environment. My thought process was to 1) find the number of running instances, get the ids 2) get the number of terminated instances, find those ids and 3) compare the two searches and do a one way diff. Iterating thru each id on the 1st search and if they are not found in the ids of the 2nd search, the instance is still running.
First query:
index="cloudtrail" eventName=RunInstances earliest=-0h@d | spath output="runningInstances" "responseElements.instancesSet.items{}.instanceId" |table runningInstances
Second query:
index="*" eventName=TerminateInstances earliest=-0h@d | spath output="terminatedInstances" "responseElements.instancesSet.items{}.instanceId" |table terminatedInstances
I thought I could use a "|set diff" but don't have a lot of experience with it. I also thought I could also attempt some type of "|foreach" loop within another "|foreach" loop.. but I think I'm making it too complex.
Any help would be greatly appreciated!
Thanks,
T
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
