- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- latest status per host
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am building a state aware app, that uses ping checks and port checks to 'healthcheck' machines.
I am looking to have the app display the host name, and the latest status of the host, and then run this in a realtime search, and display as a table.
So far I have this:
sourcetype=ping_scan tag=
I know the 'latest' command will give me the latest status, but I am having a difficult time putting that into a table format.
any insight would be wonderfully helpful!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=ping_scan tag=<serverlist> | stats first(status) as status by dest_ip
first/last and earliest/latest can be confusing until you get used to them. Especially because "first" doesn't mean first in time, it means "the first one that the stats command sees". Since by default the incoming rows will be sorted latest first, and since search commands always start working on the set from the "first" row down, this means that first(status) is actually the most recent ie the "latest" status. o_O
Given that confusion, earliest/latest seems easier, but with those you need to remember that the incoming rows always need _time in order for stats to work it all out properly. And of course you're asking stats to do a little extra work cause it'll be diligently looking at all the _time values. Worse one day the rows you're handing to stats won't have any _time fields on them at all, and your report wont work right. So I find it's easiest to stick to first/last for what it's worth.
for example, both these searches work great, and give the same answer:
index=_internal | stats latest(date_minute) as minute by sourcetype
index=_internal | stats first(date_minute) as minute by sourcetype
but this one fails, cause there's no _time.
index=_internal | fields - _time | stats latest(date_minute) as minute by sourcetype
Obviously on events you'll always have time, but it's not uncommon to pipe the output of other commands into stats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype=ping_scan tag=<serverlist> | stats first(status) as status by dest_ip
first/last and earliest/latest can be confusing until you get used to them. Especially because "first" doesn't mean first in time, it means "the first one that the stats command sees". Since by default the incoming rows will be sorted latest first, and since search commands always start working on the set from the "first" row down, this means that first(status) is actually the most recent ie the "latest" status. o_O
Given that confusion, earliest/latest seems easier, but with those you need to remember that the incoming rows always need _time in order for stats to work it all out properly. And of course you're asking stats to do a little extra work cause it'll be diligently looking at all the _time values. Worse one day the rows you're handing to stats won't have any _time fields on them at all, and your report wont work right. So I find it's easiest to stick to first/last for what it's worth.
for example, both these searches work great, and give the same answer:
index=_internal | stats latest(date_minute) as minute by sourcetype
index=_internal | stats first(date_minute) as minute by sourcetype
but this one fails, cause there's no _time.
index=_internal | fields - _time | stats latest(date_minute) as minute by sourcetype
Obviously on events you'll always have time, but it's not uncommon to pipe the output of other commands into stats.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
