Since you don't know Python, I'm going to give you some sample code to change the pingstatus.py
count=1
if len(sys.argv)>1 and len(sys.argv) != 4 and len(sys.argv)!=5:
print "Usage |pingstatus url as <local-field> (or have url field name in da\
ta) <optional-count>"
sys.exit()
elif len(sys.argv) == 4:
urlfield=sys.argv[3]
elif len(sys.argv) == 5:
urlfield=sys.argv[3]
count=sys.argv[4]
That will get you your count argument as a number added to your pingstatus command. Don't use count=5 as input as you'll have to parse that. Just put in 5. For example: |pingstatus url as ip 5|table ip pingstatus*
Next, for the pingdelay field, you can use this approach.
if urlfield in r:
for i in range(1, count+1):
try:
delay = ping.do_one(r[urlfield], timeout=2)
if count=1:
r["pingdelay"] = delay
continue:
else:
pingdelay="pingdelay" + str(i)
r[pingdelay] = delay
except socket.error, e:
if count=1:
r["pingdelay"] = 10000000
else:
pingdelay="pingdelay" + str(i)
r[pingdelay] = 10000000
This will will created fields pringdelay1, pingdelay2, etc if your count is greater than 1. This has not been tested, so you'll have to play it. Also, don't just copy and paste from this answers post as the formatting may be wrong. In Python, proper indentation matters. In Splunk to print your results, do:
|table pingdelay*
As for Windows vs Linux, I'm not sure why this is different as I used a public domain ping.py program to get my results. For Windows you may have to find a version that is better suited for it. Keep in mind this is a reference implementation to get you an idea how to do this. It is used as is.
... View more
