i have a query which is returning the hostname , interface status (up/down). Would like to get time stamps for this occurrences. What query i need to add at the end of the query,. Please help me out
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnInterface, UpDown
Hi marees123,
almost got it, try something like this:
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table _time, host, AnInterface, UpDown
hope this helps ...
cheers, MuS
getting the logs like this... is there any way to filter the recent logs only. please help on this.
swt0001 GigabitEthernet2/0/2 down 2014-12-10 08:30:59
swt0001 GigabitEthernet1/0/2 down 2014-12-10 08:30:59
swt0001 GigabitEthernet2/0/2 down 2014-12-10 08:31:00
swt0001 GigabitEthernet1/0/2 down 2014-12-10 08:31:00
swt0001 GigabitEthernet2/0/2 up 2014-12-10 08:35:17
swt0001 GigabitEthernet1/0/2 up 2014-12-10 08:35:17
swt0001 GigabitEthernet2/0/2 up 2014-12-10 08:35:19
swt0001 GigabitEthernet1/0/2 up 2014-12-10 08:35:19
well use the time range picker to apply a time range to your search or use head
after your search http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Head
Hi marees123,
almost got it, try something like this:
*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table _time, host, AnInterface, UpDown
hope this helps ...
cheers, MuS
thanks a ton MuS.. It simply worked... thanks again....