Hi, We are going to deploy changes which will delete certain package from instance. We want to know whether this package is getting deleted after the changes goes through. We are capturing this data in Splunk. So Let's say we have package=abc We can find if package exist using following SPL: index=osstats sourcetype=package "abc"
| bin _time span=1d
| multikv fields NAME
| eval package_exist=if(like(NAME,"abc%"),1,0)
| eval package_name=if(like(NAME,"abc%"),NAME,NULL)
| stats count by _time host package_exist package_name Following index is polling data hourly therefore if search for last 24 hours, it will report count=24, host=abc.com,package_exist=1, package_name=abc Now I have created lookup table from this for last 1 year worth of data. What i want to know is, suppose I have host (doesn't have to be part of above query), I want to check if it had package earlier and now it is getting removed. I am not sure how I can go above doing that.
... View more