Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing Latency from a Subnet to 3 different destinations and output the best option.

rjgreg
Explorer
‎09-17-2021 10:57 AM

I am testing network latency from various subnets to 3 different VCenters.  The output gives me 3 results per subnet IP. How do I have Splunk see the values per subnet and output the best of the three options?   I am fairly new to this and the tutorial got me this far.  Any constructive help would be appreciated. Current Search is below.  

index="wineventlog" host="mgmt" source="wineventlog:application" "EventCode=999" "SourceName=NetworkLatencyCheck"

| sort 1 - _time

| mvexpand SubnetSourceLatencyDestinationSiteLocationStatus

| rex Field=SubnetSourceLatencyDestinationSiteLocationStatus  "^(?<Subnet>.*),\$(?<Source>.*),\$(?<Latency>.*),\$(?<Destination>.*),\$(?<Site>.*),\$(?<Location>.*),\$(?<Status>.*)"

| regex Source="(\d{1,3}\.(\d{1,3}\.(\d{1,3}\.(\d{1,3})"

| table Subnet Latency Destination

***Example Output***

Subnet                  Latency          Destination

192.10.10               152.75            a08-vcenter

192.10.10                87                    a05-vcenter

192.10.10                8                      a03-vcenter

192.1.1                    25                     a08-vcenter

192.1.1                   13                      a05-vcenter

192.1.1                   48                      a03-vcenter

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjgreg
Explorer
‎09-21-2021 05:30 AM

@richgalloway   I tried to send this yesterday, but it seems to have been lost in the ether.  The |stats command you gave me didn't output anything in the statistics  view.  I figured out the problem and solved it with the | dedup command you can see in the complete search below.  I added a few fields for the table as well, for tracking.  Thank you for your help.  Not sure I would have found the solution without your help.

index="wineventlog" host="mgmt" source="wineventlog:application" "EventCode=999" "SourceName=NetworkLatencyCheck"
| sort 1 - _time
| mvexpand SubnetSourceLatencyDestinationSiteLocationStatus
| rex Field=SubnetSourceLatencyDestinationSiteLocationStatus  "^(?<Subnet>.*),\$(?<Source>.*),\$(?<Latency>.*),\$(?<Destination>.*),\$(?<Site>.*),\$(?<Location>.*),\$(?<Status>.*)"
| regex Source="(\d{1,3}\.(\d{1,3}\.(\d{1,3}\.(\d{1,3})"
| stats min(Latency) as latency by Subnet, Destination, Location, _time
| dedup Subnet sortby +Latency
| sort Subnet
| table Subnet Latency Destination Location _time

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-17-2021 11:19 AM

The stats command can select the "best" option.

index="wineventlog" host="mgmt" source="wineventlog:application" "EventCode=999" "SourceName=NetworkLatencyCheck"
| sort 1 - _time
| mvexpand SubnetSourceLatencyDestinationSiteLocationStatus
| rex Field=SubnetSourceLatencyDestinationSiteLocationStatus  "^(?<Subnet>.*),\$(?<Source>.*),\$(?<Latency>.*),\$(?<Destination>.*),\$(?<Site>.*),\$(?<Location>.*),\$(?<Status>.*)"
| regex Source="(\d{1,3}\.(\d{1,3}\.(\d{1,3}\.(\d{1,3})"
| stats min(Latency) as Latency by Subnet, Destination
| table Subnet Latency Destination
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rjgreg
Explorer
‎09-20-2021 06:25 AM

@richgalloway  Thank you.  The output for the stats command organized the subnets from fastest to slowest, which is a big help. Do you know of a way to drop the slower two destinations?  The chart output I am looking for will list the fastest connection for each subnet and exclude the other two  destinations for each.  

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2021 06:34 AM

While you can use the head or sort commands to limit the number of results, I don't know of a way to show all except the last n results.  Perhaps you could count the number of results, subtract two and pass the result to head.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rjgreg
Explorer
‎09-20-2021 06:46 AM

@richgalloway  I'm still very new to writing Splunk commands.  How would the head command look?  In the current table, I have a total of 201 results.  There are three destinations, so each subnet appears three times in the table, like the example below.  Is it possible to use the head command per subnet to end up with 67 results (1/3rd of the results), which would be comprised of the best connection for each subnet? Thank you for your help 

 

***Example Output Before***

Subnet                  Latency          Destination

192.10.10                8                      a03-vcenter

192.10.10                87                    a05-vcenter

192.10.10               152.75            a08-vcenter

192.1.1                   13                      a05-vcenter

192.1.1                    25                     a08-vcenter

192.1.1                   48                      a03-vcenter

***Example of desired output***

Subnet                  Latency          Destination

192.10.10                8                      a03-vcenter

192.1.1                   13                      a05-vcenter

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2021 08:45 AM

The head command is similar to the same command in Linux in that it displays the first few lines of the given input.  It's not smart enough to count within groups.

Another option for you is the stats command.

... | stats first(Latency) as Latency, first(Destination) as Destination by Subnet
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

rjgreg
Explorer
‎09-21-2021 05:30 AM

@richgalloway   I tried to send this yesterday, but it seems to have been lost in the ether.  The |stats command you gave me didn't output anything in the statistics  view.  I figured out the problem and solved it with the | dedup command you can see in the complete search below.  I added a few fields for the table as well, for tracking.  Thank you for your help.  Not sure I would have found the solution without your help.

index="wineventlog" host="mgmt" source="wineventlog:application" "EventCode=999" "SourceName=NetworkLatencyCheck"
| sort 1 - _time
| mvexpand SubnetSourceLatencyDestinationSiteLocationStatus
| rex Field=SubnetSourceLatencyDestinationSiteLocationStatus  "^(?<Subnet>.*),\$(?<Source>.*),\$(?<Latency>.*),\$(?<Destination>.*),\$(?<Site>.*),\$(?<Location>.*),\$(?<Status>.*)"
| regex Source="(\d{1,3}\.(\d{1,3}\.(\d{1,3}\.(\d{1,3})"
| stats min(Latency) as latency by Subnet, Destination, Location, _time
| dedup Subnet sortby +Latency
| sort Subnet
| table Subnet Latency Destination Location _time

 

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...