Activity Feed
- Posted Splunk SPL help... on Splunk Search. 10-13-2014 04:48 PM
- Tagged Splunk SPL help... on Splunk Search. 10-13-2014 04:48 PM
- Posted Re: How to compare output of a search to a lookup file? on Splunk Search. 10-09-2014 06:52 AM
- Posted Re: How to compare output of a search to a lookup file? on Splunk Search. 10-08-2014 05:45 PM
- Posted How to compare output of a search to a lookup file? on Splunk Search. 10-08-2014 12:06 PM
- Tagged How to compare output of a search to a lookup file? on Splunk Search. 10-08-2014 12:06 PM
- Tagged How to compare output of a search to a lookup file? on Splunk Search. 10-08-2014 12:06 PM
- Tagged How to compare output of a search to a lookup file? on Splunk Search. 10-08-2014 12:06 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
10-13-2014
04:48 PM
I hope someone can point me in the right direction because I really need help. SPL transforms are anything but easy and I now work for a company who expects it on a a regular basis. Can anyone tell me the best place to learn SPL from beginner to advanced without having to pay for classes? Performing one or two searches in the same statement is one thing but advanced transform statements like the Professional Services guys can write is way out of my league. I have looked at the docs on this website and they have not been helpful (unless I'm looking at the wrong ones however my guess is Splunk wants you to pay them for that info :-().
Thank you in advance.
... View more
- Tags:
- spl
10-09-2014
06:52 AM
Awesome and by piping that to stats count I can get the total number of matches that don't equal the hostname so now I've got two variables (sort of) which leads to my next question actually in two parts. The first, how can I turn the output of each search into a variable (i.e. X and Y) The second, how can I compare the two? My end goal is to create a dashboard gauge that shows the a percentage of servers that have reported in "X" against the total number of servers in the list "Y" (where "Y" would be 100%).
... View more
10-08-2014
05:45 PM
OK so my search looks like this:
index= | rex "\sFrom\s \"(?[^\"]+)\""| stats count by hostname
My field is also named hostname in the lookup table. My lookup is called thingamajig. What I am trying to accomplish is this, my lookup table contains about 20 hostnames. The search extracts the field "From" and calls it hostname then lists how many times each hostname is hit upon. What I am hoping is that I can then cross reference the output of that search (i.e. list of hostnames it gets) against the lookup table to find out how many hostnames listed in the lookup table it didn't match as that is the data I am looking for.
... View more
10-08-2014
12:06 PM
So I've got a lookup table full of hostnames that I want to compare to a search that returns only the active hosts so I can figure out which of those hosts are active and which aren't. Basically if the resultant hostname from the lookup is not in the results of the search I want it printed and counted so I can get an idea as to what hosts aren't currently active when compared to the lookup file.
I can't seem to find an answer to this anywhere.
Help!
... View more
