Hi,
I have a log with number of entries for many servers like-
Time1 user1 server1 statusdown
Time2 user2 server2 statusdown
Time3 user3 server1 statusup
So I need to capture only those servers which are down.but here in the log for same server many status are present I am not able to get the latest down status for a particular server. As the server logs have both status n we need to get the latest status.
Please help.
Get just a list this way:
... | stats latest(status) by server | search status=statusdown
This will give the most recent status for each server, then only give the ones where the most recent status is down.
Assuming you have the status extracted to a field called status, try this
... | chart latest(_time) as time over server by status | where statusdown>statusup