Solved: My search for Windows Server status is not Working

vino06 · ‎07-06-2017

Hi,

Good Day!

Hope anyone can help me to correct my search, I'm trying to search for our Windows server whether its UP or DOWN. I already coordinated to our SysAd that the following servers are UP. But on my search it's DOWN, please help me. Kindly see search below and also I'm attaching the result.!

DalJeanis · ‎07-06-2017

Okay, the problem here is that you are first putting records in for all of them saying DOWN, and then adding records that calculate the status, but you are not accurately getting rid of the dups.

I'm going to assume that this part accurately gets your status if there has been a record in the time range in question...

search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host

Now we want to add records only for any missing hosts. This collects what hosts have been found into a mv field, creates records for all the hosts, then kills any hosts that were in the mv field.

| appendpipe 
    [| stats values(host) as foundhosts 
     | eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSADR05 VMICSADR06 VMICSAPD01 VMICSAPD02 VMICSAPD03 VMICSAPD04 VMICSAPD05 VMICSAPD06"
     | makemv host 
     | mvexpand host
     | where host!=foundhosts
     | table host
     | eval Status="DOWN"
     ]

You probably want to add a sort onto the end there to put them in host order, and/or optionally a filter to show only the down records.

| sort 0 host

For the curious, this run-anywhere sample replaces the first section to create test data...

| makeresults 
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05" 
| makemv host
| mvexpand host 
| eval Status="UP"

View solution in original post

DalJeanis · ‎07-06-2017

Okay, the problem here is that you are first putting records in for all of them saying DOWN, and then adding records that calculate the status, but you are not accurately getting rid of the dups.

I'm going to assume that this part accurately gets your status if there has been a record in the time range in question...

search index=perfmon
| multikv
| search host=VMIC*
| eval Status=if(linecount=1,"UP",Status)
| stats latest(Status) as Status by host

Now we want to add records only for any missing hosts. This collects what hosts have been found into a mv field, creates records for all the hosts, then kills any hosts that were in the mv field.

| appendpipe 
    [| stats values(host) as foundhosts 
     | eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSADR05 VMICSADR06 VMICSAPD01 VMICSAPD02 VMICSAPD03 VMICSAPD04 VMICSAPD05 VMICSAPD06"
     | makemv host 
     | mvexpand host
     | where host!=foundhosts
     | table host
     | eval Status="DOWN"
     ]

You probably want to add a sort onto the end there to put them in host order, and/or optionally a filter to show only the down records.

| sort 0 host

For the curious, this run-anywhere sample replaces the first section to create test data...

| makeresults 
| eval host="VMICSADR01 VMICSADR02 VMICSADR03 VMICSADR04 VMICSAPD04 VMICSAPD05" 
| makemv host
| mvexpand host 
| eval Status="UP"

vino06 · ‎07-06-2017

I tried this and it worked, it's much easier.

Thanks a lot 🙂

DalJeanis · ‎07-06-2017

Make sure to mark your code as code (for example, using the button marked 101 010) so that he web interface will not alter the code by removing things that look like HTML tags.

My search for Windows Server status is not Working

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life