×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
PowerBlade
New Member
Member since: ‎01-25-2013
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-25-2013
Activity Feed
Topics I've Started
View All

Combining multiple events

by in Splunk Search
‎02-01-2013 08:40 AM
‎02-01-2013 08:40 AM
Hi I have a question to how I do a report based on multiple events. In this particular case, I started logging from our Cisco Wireless Lan Controller. I receive multiple AP association and disassociation events. I can easily query to find the disassociation events and I can also easily query for association events. But I'm having a problem how to form a query to combine the events. I want 2 different reports. 1) Get a list of access points that sent a disassociation event but no association events after that. (disappeared from the network) 2) Get a list of access points that sent an association event with no disassociation event before that (say within the last 24 hours) - (New access points added to the network) Example to query for an disassociation event: index=wireless bsnAPDisassociated | rex "bsnAPName.0 = STRING: \"(?<apname>\S+)\"" Example to query for an association event: index=wireless ciscoLwappApMIBNotifs.4 | rex "cLApName.'\S+' = STRING: (?<apname>\S+)" I will appreciate any hints I can get to solve my problem. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM