Splunk Search

How to track the state of an object in Splunk for use in grouping events?

motobeats
Path Finder

I am trying to figure out how we can track the state of some object in Splunk and use that state to group the objects in historical searches.

An example: I want to track the disk errors reported by VMs grouped by the hypervisor they are on at the time. If this was just for real-time, I would use a lookup table, but I don't know how to approach this problem if I want to check errors over the last week and the VMs are dynamically moving from one hypervisor to another. I can get the event logs to follow the movements, but don't know how to apply that to a follow on search.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

I believe what you want can be achieved by using Timebased lookup, where it's possible to attaché the state based on the time period in which the event occurred. See more information here

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

I believe what you want can be achieved by using Timebased lookup, where it's possible to attaché the state based on the time period in which the event occurred. See more information here

http://docs.splunk.com/Documentation/Splunk/6.2.5/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

motobeats
Path Finder

This is what my research turned up too. Thanks for the confirmation. Plan to try the approach in the future.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...