I am searching through the router and switch syslog data trying to find spanning tree state changes for a given time period. Once found I want to put the device name, port and STP state in a table. I also want to identify which of the STP states(BLOCKING, LEARNING, FORWARDING) for each Device/interface combination is the Current State. The stats string below identifies all but the current state correctly:
Search command |stats dc(DeviceName) AS "Device Names" values(Port) AS "Ports" dc(Port) AS "Ps" values(STP_State) AS "State" by DeviceName,STP_State
| eval stats first(STP_State)="Current State"
Desired output would look something like:
![alt text][1]
[1]: /storage/temp/65319-stats.jpg
↧