Check near id and and results

Splunk_rocks · ‎07-16-2019

Hello Splunkers.

I have following sample data with more then 1000 ids .. so what im looking is when radio status down i want include near radio id information also in my alert search

radioid=101 radiostatus=down region=Europe
radioid=102 radiostatus=up region=Europe
radioid=103 radiostatus=down region=Europe
radioid=104 radiostatus=down region=America

For example if radioid 103 was down then i need status of radio id 102 as well 104 status like near range radio id status info also i want to add in search .

niketn · ‎07-17-2019

@Splunk_rocks can you try with the following streamstats commands to get previous and next values for radioid and radiostatus?

|  streamstats last(radioid) as prevId last(radiostatus) as prevStatus current=f window=1
|  reverse
|  streamstats first(radioid) as nextId first(radiostatus) as nextStatus current=f window=1
|  reverse

Then you can apply the logic as per your need. Following is the logic I have applied based on information provided, but adjust as per your actual requirement:

|  eval finalRadioStatus=case(radiostatus="down" AND nextStatus="down" AND nextId=radioid+1,"down",
                              radiostatus="down" AND prevStatus="down" AND prevId=radioid-1,"down",
                              true(),"up")

Following is run anywhere search which generates the data and shows how logic is applied

|  makeresults
|  eval data="radioid=101 radiostatus=down region=Europe;radioid=102 radiostatus=up region=Europe;radioid=103 radiostatus=down region=Europe;radioid=104 radiostatus=down region=America"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  KV
|  streamstats last(radioid) as prevId last(radiostatus) as prevStatus current=f window=1
|  reverse
|  streamstats first(radioid) as nextId first(radiostatus) as nextStatus current=f window=1
|  reverse
|  eval finalRadioStatus=case(radiostatus="down" AND nextStatus="down" AND nextId=radioid+1,"down",
                              radiostatus="down" AND prevStatus="down" AND prevId=radioid-1,"down",
                              true(),"up")

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Splunk_rocks · ‎07-17-2019

Thanks for your inputs much appreciated,

I will check but how i can get the status to be in search for radioid and status info.
Like this

radioid status region nearbyid status nearbyid status
103 down atl 102 up 101 up

niketn · ‎07-17-2019

You should be able to easily manipulate to get only the required fields from the above run anywhere example which you can plug in to your original query. Also seems like you do not need eval for finalRadioStaus as you are just displaying the current id and nearbyid and status.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

adonio · ‎07-16-2019

are the 100 events / ids are always at the same time? meaning with the same timestamp?

Splunk_rocks · ‎07-16-2019

Its not same time stamp.. all are different events..just treat them like normal hosts sending ..

all i need to do see check the neighboring id --id+1 (1 higher number) and id -1(1 lower number) status also need to add to my search...

Check near id and and results

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM