Solved: how can i concatenate values from separate logs?

ytl · ‎04-05-2011

i'm trying to generate a search where i can summarize its info into a table. specifically i'm trying to detect link flapping caused by hosts having the same mac address across many/same switches.

in the logs i get one entry for each occurrence, sometimes its across different hosts; so i group the logs with a transaction on the dvc_mac (which i have set up as a field extraction):

"is flapping between port" | transaction dvc_mac

what i would like is a table where i can concatenate all the hosts seen for that single dvc_mac address, eg:

mac_address  seen_on
dvc_mac      host1, host2...

is this possible?

Stephen_Sorkin · ‎04-05-2011

I think that you can do this more simply using stats:

"is flapping between port" | stats values(host) as seen_on by dvc_mac

View solution in original post

Stephen_Sorkin · ‎04-05-2011

I think that you can do this more simply using stats:

"is flapping between port" | stats values(host) as seen_on by dvc_mac

Stephen_Sorkin · ‎04-07-2011

It's hard for me to read the structure of this in comment form. Ask another question, add a link to it and we'll address it there.

ytl · ‎04-06-2011

woohoo! worked a treat; thanks Stephen!

to extend the question a little;

1) what if i wanted to also include the interfaces seen on the host? i have a multivalue field called 'int' such that i would like

mac_address  seen_on
dvc_mac      hostA (intA1, intA2), hostB (intB1, intB2)...

2) if i wanted a frequency count of each dvc_mac

mac_address  seen_on                  count
dvc_mac      hostA (intA1, intA2)...  4

cheers,

how can i concatenate values from separate logs?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms