Getting Data In

How do I compare field names?

gunturu_nagasri
Explorer

p.123.label - hostname 1
p.123.status - status of the server 1

p.234.label - hostname 2
p.234.status - status of the server2

... n servers list

the above mentioned 123 and 234 are dynamic.

How can the field names be compared? I need the output in the table format like each hostname and its status details respectively? Is it possible?

Tags (3)
0 Karma
1 Solution

jmallorquin
Builder

Hi,

Just playing 🙂

| rest splunk_server=* /services/shcluster/status |fields peers*label |transpose |table column "row 1" |rename "row 1" as label
|append [ rest splunk_server=* /services/shcluster/status | fields peers*status |transpose |table column "row 1" |rename "row 1" as status]
|rex field=column "[^\.]+.(?<id>[^\.]+)"
|stats last(label) as label last(status) as status by id

Hope i help you

View solution in original post

jmallorquin
Builder

Hi,

Just playing 🙂

| rest splunk_server=* /services/shcluster/status |fields peers*label |transpose |table column "row 1" |rename "row 1" as label
|append [ rest splunk_server=* /services/shcluster/status | fields peers*status |transpose |table column "row 1" |rename "row 1" as status]
|rex field=column "[^\.]+.(?<id>[^\.]+)"
|stats last(label) as label last(status) as status by id

Hope i help you

gunturu_nagasri
Explorer

Thanks a lot, This helped me , but i have a question i dont want results to be displayed by id. I want the results to be displayed by comparing the id value from the first search matching the id value with the second search.

Eg : Id of host = 123, Id of status = 123 then its respective Hostname and status should be displayed in tabular format.

i.e Search results of two searches should be combined by comparing the regex value.

0 Karma

jmallorquin
Builder

Hi,

But this is what it does... if you use this part:

 | rest splunk_server=* /services/shcluster/status |fields peers*label |transpose |table column "row 1" |rename "row 1" as label
 |append [ rest splunk_server=* /services/shcluster/status | fields peers*status |transpose |table column "row 1" |rename "row 1" as status]

You will see that add the to tables in one.

Then I extract the ID without .label and .status

|rex field=column "[^\.]+.(?<id>[^\.]+)"

And then with the stats I "join" both in one.

 |stats last(label) as label last(status) as status by id
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

are these single line or multi-line?
If its multi-line, is there a common field in those events?
If its multi-line, are they coming in the mentioned order ie; hostname 1, status 1 , hostname2,status etc?

Happy Splunking!
0 Karma

gunturu_nagasri
Explorer
  1. I am unable to attach the screen shot here from my desktop. It is poping for a Image url. Can i know how can i directy attach the screenshot without any links.

  2. It is a single line. It is not the feild value . It is the feild name. And the feild name has a comman begining and ending and in between nos are dynamic.

Query :

| rest splunk_server=* /services/shcluster/status | fields peers*label, peers*status

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...